
AppleID password brute force proof-of-concept - sounds
https://github.com/hackappcom/ibrute
======
eknkc
Weird that this surfaces right after the celebrity photo leak eveyone
attributes to an iCloud breach..

~~~
guipsp
This attack was already described by JB'ers for a long time.

~~~
kawsper
What is "JB'ers"?

~~~
p3drosola
jailbreak

------
kirk21
Other people getting mails from Apple saying people tried to reset your Apple
ID? They tried several times just an hour ago (was not checking my mail)...

------
inglor
He's dead Jim
[https://twitter.com/hackappcom/status/506383498333007872](https://twitter.com/hackappcom/status/506383498333007872)

Still, I expected better from Apple. Props for the fast patch.

~~~
camillomiller
Not so fast. This can very well be the leak used to access the celebs nude
pics. Script kiddie gets access to the script. Tests it again some easily
guessable celeb. emails (or emails he already knows somehow). Gets lucky. Gets
access to many other celebrities' emails, gets even luckier. The whole thing
snowballs from there.

What do you guys think?

Addendum: the way it went down on 4chan points towards someone that is not an
expert on extortions. You don't go to the public for some pocket change when
you can have publications or the celebs paying you hundreds of thousands of
dollars for those pictures. Anyway, I hope the FBI gets this freak and put him
in the can for as long as they're able to.

~~~
brymaster
> Anyway, I hope the FBI gets this freak and put him in the can for as long as
> they're able to.

If only people shared the same feelings about illegal mass surveillance and
the lax security of the companies responsible for these breaches.

~~~
camillomiller
I do, I think Snowden is a hero. That does not stop me from thinking that this
kind of behavior should be punished exemplarily. This is no "new product"
leak, nor a ethical hack performed to expose a hidden truth. It's just some
private pictures stolen and uploaded to the internet for the public to see.
Jennifer Lawrence has all the rights to take private nude pictures of herself
in the privacy of her own house. Nobody has the right to steal them, even if
her iCloud password was Katniss.

------
Cthulhu_
So how could people use this to, for example, access people's photo's? Doesn't
the two-factor authentication kick in whenever someone logs in from an
untrusted device?

~~~
keypusher
Two-factor authentication is optional and not enabled by default. Not sure if
there is email confirmation required when logging in from an untrusted device
the first time.

------
andrewchambers
Dictionary attacks are incredibly effective. Humans have a hard time coming up
with unique passwords.

~~~
aianus
It'd be nice if Windows/OSX/iOS/Android came with 1Password out of the box.
It's both easier to use and more secure than manual passwords, which is a rare
combination.

~~~
stephenr
Safari on OSX & iOS does do random password suggestions, out of the box.

~~~
zyxley
I've found this to work pretty well in most cases, but there are some websites
that don't semantically mark up their fields in a way the browser can
recognize, and there's no way to manually trigger the password suggestion
feature.

~~~
Tloewald
Worse, many sites -- notably banking sites -- reject secure passwords (no
weird characters, no long passwords)

~~~
stusmall
What is worse than rejecting is I know of one major site that would, at least
used to, silently truncate long passwords. That was... frustrating.

~~~
cynwoody
I used to have an ATM card with an 8-digit PIN. When entering the PIN, I
noticed the screen would flash after the fourth digit. Subsequently, I
discovered I actually only needed to enter the first four. That continued
until the bank got taken over by Bank of America in 2004. Suddenly, I needed
to enter the whole PIN!

------
RyanZAG
Hopefully apple is doing more than just fixing the code flaw, and is using
logs to see which emails had brute force attempted on them and locked/reset
those apple ids.

------
contingencies
Does anyone else prefer to entirely avoid signing up for an Apple ID?

I absolutely refuse to do so, and therefore use only software that doesn't
require it. I suspect I'm not entirely alone out here on the sidelines...

~~~
pjc50
Is it actually possible to use an iDevice without one?

~~~
malka
I guess he also does not use hardware that require AppleID either.

------
iPhoneunlockpro
I solve the problem whit bypass iCloud activation screen lock on my iPhone
from Apple . Hakers hack it !!! This bypass iCloud software is available on
this page : www.bypassicloudactivationlock.net . This is a survey page , so
for downloading the tool I must compleate a survey ( I download Flash player
before the tool ) . Nice job hackers. Great work ...

------
Dzordz42
The bomb on Apple iOS security is here. My friend bypass the iCloud activation
screen lock whit the hack tool from this page
[http://bypassicloudactivationlock.blogspot.com/](http://bypassicloudactivationlock.blogspot.com/)
Look it if you have this problem - you can solve it here

~~~
Dzordz42
The bomb on Apple iOS security is here. My friend bypass the iCloud activation
screen lock whit the hack tool from this page
[http://bypassicloudactivationlock.blogspot.com/](http://bypassicloudactivationlock.blogspot.com/)
Look it if you have this problem

------
cr3ative
This is interesting, but it seems irresponsible to even attempt expose the
endpoint at fault for this until it is fixed.

------
delackner
How is it ethical to distribute this without first disclosing to apple and
waiting for a fix at least a few days?

~~~
tomjen3
Simple: it is Apples problem if their servers aren't secure. You don't owe
apple free work.

Delayed disclosure is a nicety, not something you are obligated to do.

~~~
shapov
So there is no ethical responsibility to protect the users who will be left
vulnerable to this exploit? Remember the danger here is screwing people who
have iCloud accounts. It's not like Julie the housewife in Minnesota, had any
say in the security of Apple's products.

~~~
Drakim
One problem is that if the exploit is given silently to the company, they
often don't change any of their practices (even if they fix that particular
exploit), and more exploits soon surface, and maybe this time by people who
plan to abuse them instead of telling the company.

By going loud and public, you ensure that the company has to do something to
save face. It can't just be forgotten on some manager's desk.

And the fact is, you, as part of the public, would only know about the times
when somebody goes loud about an exploit. For all you know, there might have
been hundreds upon hundreds of times when security researches have gone to the
company and been outright ignored, and when one finally goes loud with what he
has found, you say "He really should have done this more quietly, it would
have been much more responsible"

------
antimagic
It should be noted that the attack has just been patched by Apple, so no
longer works....

------
mogui
anyone has confirmed that the leak is from icloud and thats the way they did
it?

~~~
maximumoverload
Nobody is sure how they did it. Or even if it comes from iCloud.

The leakers themselves claim it was from iCloud (the actual leaker only bought
it online from various hackers though, again according to him).

------
5414h
does this mean that you can bypass the icloud activation ?

~~~
camillomiller
No it has nothing to do with it. It's just a script exploiting the former lack
of a brute force containment measure on Find My iPhone's login interface, now
patched.

------
surendrapratap
x@508585 surendrapratap

------
Thesaurus
It's sad that there aren't legal requirements for security hardening. There
are massive corporations which retain sensitive information that are low
hanging fruit for script kiddies.

~~~
kmfrk
There is if a company promises the kind of security in marketing, though.
SnapChat got slapped (and just that) for promising ephemeral messaging:
[http://www.ftc.gov/news-events/press-
releases/2014/05/snapch...](http://www.ftc.gov/news-events/press-
releases/2014/05/snapchat-settles-ftc-charges-promises-disappearing-messages-
were).

------
josteink
I guess some female celebrities are going to reconsider Android next time they
buy a smartphone.

~~~
joeyspn
CyanogenMod specifically...

~~~
letmechimein
Agree. I can totally see a celeb buying an Android then going on line and
hunting CyanogenMod and then flashing their phone.

~~~
svenkat
Good point. They're probably too poor to afford to hire someone to do it for
them. /s

------
joeyspn
This whole "exploit / massive celebrity pics leak" is surreal... Is this
Apple's answer to _Cloud to Butt_ Google Chrome's extension?

That's the reason why I will never trust the cloud for personal stuff (for
non-critical professional stuff is ok)... I'd only be willing to test
MaidSafe, after they reach a stable release...

------
Geee
I don't know if this was the attack used in the hack, but it is really, really
bad news for Apple. The public is not going to trust iCloud any more. I'm
pretty sure Apple will drop iWallet from the keynote, or it'll end up like
their maps.

~~~
herghost
Yeah, no one plays Playstation since the Sony hack. And I bet no one shops at
Target any more. TKMaxx ceased trading right after their hack. Linked In is a
thing of the past.

~~~
gwern
Target's quarterly revenue did fall after the hack.

