iCloud accounts at risk after hacker releases tool allowing access to any login
Other hackers criticise publishing of tool, rather than informing Apple of exploit
Your support helps us to tell the story
As your White House correspondent, I ask the tough questions and seek the answers that matter.
Your support enables me to be in the room, pressing for transparency and accountability. Without your contributions, we wouldn't have the resources to challenge those in power.
Your donation makes it possible for us to keep doing this important work, keeping you informed every step of the way to the November election
Andrew Feinberg
White House Correspondent
All iCloud accounts could be vulnerable to hacking by a new tool that claims it can break into any user’s login.
The tool claims to use an exploit to get through Apple’s security.
It uses a “dictionary attack” to get into accounts — a hack that involves automatically trying a number of passwords until the right one is found. Sites usually have locks in place to stop such an attack, by only allowing a certain number of tries of one password, but the tool claims to be able to bypass those.
A number of posters on Twitter and Reddit claimed to have used the tool successfully.
If it does work, setting up two-step verification — which requires users to enter a code sent to their phone — could keep such an attack at bay. But otherwise, if the exploit is genuine, there is little users can do until Apple fix it.
The creator of the tool said that they had released the “so Apple will patch it”. But other security activists criticised the leak, and said that the user, who calls themselves pr0x13, should have informed Apple of the problem.
“If you have any interest in preventing harm, Dropping a zero day on a national holiday without any attempt at responsible disclosure is probably not the best approach,” said one user on Reddit. “Zero day” refers to exploits in software that are not known by their creators, and so no solution is in place.
Unlike other tech companies, Apple does not have a ‘bug bounty’ programme — a reward system that gives hackers cash for bringing exploits to their attention.
A Twitter account claiming to belong to the person that found the bug posted contradictory statements about how the tool can be used. It told followers to “Only use iDict on your own email”, but also repeatedly publicised the hack and the fact that the tool worked to bypass locked accounts.
iCloud vulnerabilities were also thought to be used to steal hundreds of leaked pictures of celebrities in what was called ‘The Fappening’, in August and September.
Subscribe to Independent Premium to bookmark this article
Want to bookmark your favourite articles and stories to read or reference later? Start your Independent Premium subscription today.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments