09/04/2014

the hackingtool against the Apple Icloud is still online but Apple patched it

"On August 30, just a day before the massive leak, proof-of-concept code for an AppleID password bruteforce was uploaded to the GitHub by a mobile security team HackApp. What a coincident! Isn’t it?
 
The proof-of-concept code for the exploit is known as iBrute. The code exploited a vulnerability in Apple’s Find My iPhone application sign in page. The flaw let hackers to flood the site with multiple number of password attempts without being locked out and by using brute-force techniques, hackers could guess the password used to protect those celebrities accounts. Apple patched the vulnerability early on September 1.http://thehackernews.com/2014/09/apple-patches-find-my-ip...
 
and no Apple doesn't communicate about that and talks a lot about double authentification as a solution but that IS NOT a solution because that double authentification is not used with every Apple service and especially when you use or update backups
 
so if you want to use double authentification with apple you have to do a backup offline at your home with your own hardware because activating any backup solution or function will just disable your security
 
the BUG was that the simple authentification logon of Apple had no bruteforce protection (some other Apple services have that) which means that you could try as many passwords as you would like without having a lockout or having to wait hour before trying some other passwords.
 
so what did they do ? well they just took the usernames they found somewhere online and than tried a set of popular passwords and some of them worked. By the way if your tool has no bruteforce protection than there are 1 billion passwords online that can be tried although that would be too much
 
and Apple, they have the wrong companyculture, the wrong securityculture and the wrong securitycommunication

Permalink | |  Print |  Facebook | | | | Pin it! |

The comments are closed.