Apple Inc. has patched a password vulnerability in its iCloud service that was targeted by a hacking tool released...
on New Year's Day.
The tool, dubbed "iDict," used a dictionary attack that exploits a security vulnerability in iCloud's rate-limiting protection and bypasses Apple ID lockout restrictions. The source code for the tool was posted on Github by a user named "Pr0x13."
"This bug is painfully obvious and was only a matter of time before it was privately used for malicious or nefarious activities, I publicly disclosed it so Apple will patch it," Pr0x13 wrote on the Github post.
The code includes a 500-word list of common passwords, such as "password1" or "Iloveyou," which the tool will enter into the password field for a given iCloud account. If a user's iCloud password was not on the iDict list, then the tool would not work. However, experienced hackers could easily swap out the existing list for different or much larger lists of passwords.
Though there's been no official word yet from Apple, various reports -- including an update on Pr0x13's Github post -- suggest Apple has fixed the vulnerability.
The release of iDict marks another major security hole for Apple's cloud service. Following a hack of several celebrity iCloud accounts in August, Apple came under fire for security shortfalls, which left iCloud accounts vulnerable to brute force attacks. With 24 hours of the hack being reported, Apple put a five-attempt password limit for iCloud accounts. Several weeks later, Apple introduced more robust multifactor authentication protection for iCloud.
Char Sample explains why enterprises should determine data value when using cloud storage services like iCloud