Hacker News new | past | comments | ask | show | jobs | submit login
AppleID password brute force proof-of-concept (github.com/hackappcom)
141 points by sounds on Sept 1, 2014 | hide | past | favorite | 80 comments

Weird that this surfaces right after the celebrity photo leak eveyone attributes to an iCloud breach..

Not weird at all, makes perfect. The code/idea is so trivial that I would find it hard to believe any accusations on the author of the code...

One could probably modify a much more sophisticated/fast brute-force software to attack iCloud, like hydra[1].

Given the deep pockets Apple has, I don't understand how something like this was even possible.

[1] https://www.thc.org/thc-hydra/

Currently the rumour is that the photo leak is an underground celeb photo sharing ring, where you use photos you've hacked to get access to more photos, and isn't limited to iCloud / Apple, but who knows.

This attack was already described by JB'ers for a long time.

What is "JB'ers"?


How do you mean?

I'm pretty sure this attack is described in iH8Sn0w's slides for jbcon

Other people getting mails from Apple saying people tried to reset your Apple ID? They tried several times just an hour ago (was not checking my mail)...

He's dead Jim https://twitter.com/hackappcom/status/506383498333007872

Still, I expected better from Apple. Props for the fast patch.

>Still, I expected better from Apple.

Here is another flaw in iPhone. If a person is casting their screen to an Apple TV and must enter their PIN number, the screen will highlight each button press on the TV. No fingers in the way to even block it. Simple solution: don't broadcast this or don't provide screen feedback for entering the PIN.

Not so fast. This can very well be the leak used to access the celebs nude pics. Script kiddie gets access to the script. Tests it again some easily guessable celeb. emails (or emails he already knows somehow). Gets lucky. Gets access to many other celebrities' emails, gets even luckier. The whole thing snowballs from there.

What do you guys think?

Addendum: the way it went down on 4chan points towards someone that is not an expert on extortions. You don't go to the public for some pocket change when you can have publications or the celebs paying you hundreds of thousands of dollars for those pictures. Anyway, I hope the FBI gets this freak and put him in the can for as long as they're able to.

> Anyway, I hope the FBI gets this freak and put him in the can for as long as they're able to.

If only people shared the same feelings about illegal mass surveillance and the lax security of the companies responsible for these breaches.

I do, I think Snowden is a hero. That does not stop me from thinking that this kind of behavior should be punished exemplarily. This is no "new product" leak, nor a ethical hack performed to expose a hidden truth. It's just some private pictures stolen and uploaded to the internet for the public to see. Jennifer Lawrence has all the rights to take private nude pictures of herself in the privacy of her own house. Nobody has the right to steal them, even if her iCloud password was Katniss.

Sounds plausible. And if it’s not this particular bug it may very well be some other. I find it hard to believe that someone just hacked his way into 400+ phones without any kind of glitch in the system. And judging by the fact that he went only for pictures and videos it doesn’t sound like an elaborate scam that could use high profile hacks like a fake connection antenna or something equally sophisticated.

Before the bug got public, I was thinking of some sort of Bluetooth honeypot attack at a big event, say the Oscars, or Grammys

Address books are backed up on icloud aren't they? So you get into one celeb account and it's easy from there. Use their address book to find agent/manager/publicists's info, then an endless chain of celebs from there.

You can find agents from IMDB Pro too. It's not that hard if you're determined (or obsessed for that matter).

@nikcub seems to think it wasn't this.


he's assuming from when the tool was released. The exploit was in the wild for much longer.

The password list for this particular implementation is pretty limited. I doubt all the celebs hacked had a password on that list. The concept may well have been used with different code / pw dictionary.

The leaker got doxxed by 4chan and doesn't seem capable of discovering the exploit on his own.

Though he's commented to Buzzfeed denying it was him (but anyone would).


@nikcub still thinks it's him


i'm watching them continue to attempt to hack new accounts on a forum, so whatever apple patched with this bug wasn't it.

So how could people use this to, for example, access people's photo's? Doesn't the two-factor authentication kick in whenever someone logs in from an untrusted device?

Two-factor authentication is optional and not enabled by default. Not sure if there is email confirmation required when logging in from an untrusted device the first time.

Dictionary attacks are incredibly effective. Humans have a hard time coming up with unique passwords.

It'd be nice if Windows/OSX/iOS/Android came with 1Password out of the box. It's both easier to use and more secure than manual passwords, which is a rare combination.

Safari on OSX & iOS does do random password suggestions, out of the box.

I've found this to work pretty well in most cases, but there are some websites that don't semantically mark up their fields in a way the browser can recognize, and there's no way to manually trigger the password suggestion feature.

Worse, many sites -- notably banking sites -- reject secure passwords (no weird characters, no long passwords)

One of my credit cards requires a password no longer than 16 characters, no spaces, no special characters. They're only a few more restrictions away from just requiring that it be a significant birthday or something similar.

What is worse than rejecting is I know of one major site that would, at least used to, silently truncate long passwords. That was... frustrating.

I used to have an ATM card with an 8-digit PIN. When entering the PIN, I noticed the screen would flash after the fourth digit. Subsequently, I discovered I actually only needed to enter the first four. That continued until the bank got taken over by Bank of America in 2004. Suddenly, I needed to enter the whole PIN!

I think generally all it needs is a password field.

My Thai business banking system is paranoid and disables autocomplete, paste, etc, even with the security of a physical token), but the one that really annoys me is things like Basecamp - I had to futz around and disable JavaScript for a login to be recognised and prompt to save a password - by default it does an XHR which doesn't trigger the "save password" prompt.

They are also quite easy to prevent, though.

They are, but the average granny or non tech person doesn't care enough.

I was thinking server side..

And most services with password strength requirements, for that matter.

It's actually quite easy using something like the battery horse staple thing. Most people just don't care enough about passwords.

Hopefully apple is doing more than just fixing the code flaw, and is using logs to see which emails had brute force attempted on them and locked/reset those apple ids.

Does anyone else prefer to entirely avoid signing up for an Apple ID?

I absolutely refuse to do so, and therefore use only software that doesn't require it. I suspect I'm not entirely alone out here on the sidelines...

Is it actually possible to use an iDevice without one?

I guess he also does not use hardware that require AppleID either.

Yes. You just can't download apps or use iCloud services.

I solve the problem whit bypass iCloud activation screen lock on my iPhone from Apple . Hakers hack it !!! This bypass iCloud software is available on this page : www.bypassicloudactivationlock.net . This is a survey page , so for downloading the tool I must compleate a survey ( I download Flash player before the tool ) . Nice job hackers. Great work ...

The bomb on Apple iOS security is here. My friend bypass the iCloud activation screen lock whit the hack tool from this page http://bypassicloudactivationlock.blogspot.com/ Look it if you have this problem - you can solve it here

The bomb on Apple iOS security is here. My friend bypass the iCloud activation screen lock whit the hack tool from this page http://bypassicloudactivationlock.blogspot.com/ Look it if you have this problem

This is interesting, but it seems irresponsible to even attempt expose the endpoint at fault for this until it is fixed.

How is it ethical to distribute this without first disclosing to apple and waiting for a fix at least a few days?

Simple: it is Apples problem if their servers aren't secure. You don't owe apple free work.

Delayed disclosure is a nicety, not something you are obligated to do.

So there is no ethical responsibility to protect the users who will be left vulnerable to this exploit? Remember the danger here is screwing people who have iCloud accounts. It's not like Julie the housewife in Minnesota, had any say in the security of Apple's products.

One problem is that if the exploit is given silently to the company, they often don't change any of their practices (even if they fix that particular exploit), and more exploits soon surface, and maybe this time by people who plan to abuse them instead of telling the company.

By going loud and public, you ensure that the company has to do something to save face. It can't just be forgotten on some manager's desk.

And the fact is, you, as part of the public, would only know about the times when somebody goes loud about an exploit. For all you know, there might have been hundreds upon hundreds of times when security researches have gone to the company and been outright ignored, and when one finally goes loud with what he has found, you say "He really should have done this more quietly, it would have been much more responsible"

Maybe the harm caused to a few people is worth the publicity and increased awareness.

Ethics are a nicety, not an obligation.

Not very. We don't know if they contacted Apple. However from my knowledge Apple doesn't offer bug bounty or often respond to security notifications.

"The end of fun, Apple have just patched"

It is not and it probably had consequences (celebrity nude pics leak).

It should be noted that the attack has just been patched by Apple, so no longer works....

anyone has confirmed that the leak is from icloud and thats the way they did it?

Nobody is sure how they did it. Or even if it comes from iCloud.

The leakers themselves claim it was from iCloud (the actual leaker only bought it online from various hackers though, again according to him).

According to the person who is actually leaking this pictures to popular forums, he acquired many of the pictures either by trading or buying them from the -real- hackers on one of those shady online marketplaces.

He claims the hackers got them from iCloud hacks, and other more social engineering hacks.

does this mean that you can bypass the icloud activation ?

No it has nothing to do with it. It's just a script exploiting the former lack of a brute force containment measure on Find My iPhone's login interface, now patched.

x@508585 surendrapratap

It's sad that there aren't legal requirements for security hardening. There are massive corporations which retain sensitive information that are low hanging fruit for script kiddies.

There is if a company promises the kind of security in marketing, though. SnapChat got slapped (and just that) for promising ephemeral messaging: http://www.ftc.gov/news-events/press-releases/2014/05/snapch....

idk, I can imagine the recent celebrity leaks would sue Apple for allowing those pictures to be distributed. Of course, I'm sure Apple's got a clause in its iCloud T&C's that makes them deny liability.

I guess some female celebrities are going to reconsider Android next time they buy a smartphone.

Your typical Android phone has 2-3 built in backup options (e.g. Google+ photo backup, Google Cloud Backup, [manufacturer] backup).

So unless those are all well secured (and they may be, no clue) then moving to Android is no magical fix.

A better way of doing things is making it more clear to people what they are and aren't backing up. I'm sure for the majority of people backing up nudes is unintentional.

CyanogenMod specifically...

Agree. I can totally see a celeb buying an Android then going on line and hunting CyanogenMod and then flashing their phone.

Good point. They're probably too poor to afford to hire someone to do it for them. /s

This whole "exploit / massive celebrity pics leak" is surreal... Is this Apple's answer to Cloud to Butt Google Chrome's extension?

That's the reason why I will never trust the cloud for personal stuff (for non-critical professional stuff is ok)... I'd only be willing to test MaidSafe, after they reach a stable release...

I don't know if this was the attack used in the hack, but it is really, really bad news for Apple. The public is not going to trust iCloud any more. I'm pretty sure Apple will drop iWallet from the keynote, or it'll end up like their maps.

Yeah, no one plays Playstation since the Sony hack. And I bet no one shops at Target any more. TKMaxx ceased trading right after their hack. Linked In is a thing of the past.

Target's quarterly revenue did fall after the hack.

Don't forget eBay, they went out of business. Adobe has also shut down.

"End up like their maps," meaning frequently used by the vast majority of iDevice owners?

I'm no fan of Apple Maps. I pretty much only use it when I have to (e.g. because Find My Friends uses it) or to make fun of it. But there are a ton of people who don't care and just use the default. Even among my tech-savvy programmer friends it's common.

Since they've already patched it, this seems unlikely.

I think you're on a roll there.

You sure Apple won't also get rid of TouchID as well ?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact