Skip to main content

New password-hacking tool for iCloud claims to evade Apple’s brute-force protections

 

Update: We are now receiving reports that the vulnerability has been patched. People trying to use the tool are apparently now being correctly locked out from repeated password attempts.

A new tool submitted to GitHub claims to be able to perform password dictionary attacks on any iCloud account, seemingly able to evade detection from Apple’s rate-limiting security that is supposed to prevent such dictionary attacks from happening. In September, Apple reported it had closed one such hole that allowed brute-force attacks to occur.

The sourcecode for the tool has been released onto GitHub. Upon inspection, the tool is really rather crude in its complexity. It simply tries every possible word in its 500-long word-list as the password for a given iCloud account email. This means whilst it will succeed “100%” at trying 500 times over, the tool is by no means guaranteed to succeed at cracking your password.

Any password that is not simply a word from the dictionary listed on this page is safe from this ‘hack’. Still, brute-force vulnerabilities are very important as many users do use plain dictionary words as their passwords. More determined hackers could also use the exploit to brute-force much more complex passwords, so the threat is very real. For instance, hackers with more resources could use a dramatically larger word list than the one posted on GitHub.

Apple should be able to patch the hole soon, however. It is not a complicated hack — it appears to rely on pretending to be an iPhone device. For whatever reason, Apple’s servers allow these type of requests infinitely without locking password attempts after several requests.

The Photos app for iCloud.com has been pulled, although it’s unclear if there is any connection. Infamously, a host of celebrities had their iCloud account informatoin stolen in August 2014, causing thousands of nude and revealing photos to be posted online.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. Boris Terekidi - 9 years ago

    Those who use dictionary words as their passwords deserve to be hacked.

  2. Eric Lee - 9 years ago

    Who is that stupid using those words as passwords?????

  3. Edison Wrzosek - 9 years ago

    Yet another hyperbole article and headline, reporting on another hyperbole “exploit” that has seemingly been written by script kiddies. 9to5Mac seems to be getting a wee bit desperate for page impressions lately it seems…

  4. rikard (@Eorlingur) - 9 years ago

    There is actually two pieces of news here:

    1: It is possible to impersonate an iphone when talking to apples servers

    2: Iphones have no limit on password attempts.

    Neither of these news are good, but together they are really bad news.

    • standardpull - 9 years ago

      I hope there are no limits on password attempts – as a limit would create a dangerous DoS vector where someone could invalidate thousands of accounts very quickly.

      I’m sure that Apple has a rate-limiting algorithm in place which will slow down the requests from a specific IP, subnet, or against a specific account which will make password guessing techniques moot. This is best practice, along with complicated passwords.

      Of course, those that use common passwords will always be at risk.

  5. João (@jrmol) - 9 years ago

    Just tried it on my 2-step account. It gets blocked after 5 attempts. Either Apple fixed it, or it only works in non 2-step ids.

    • Edison Wrzosek - 9 years ago

      Same here, I have 2-step enabled, and it gets stopped after 5 attempts. My guess is this “hack” (if you can call it), only works on non-2-step enabled accounts, which IMHO, should be none at all, if people were aware and smart enough (speaking of the average Joe here).

      • bq8user - 9 years ago

        hello edison

        exuse me can you help me to reset my icloud account
        i have forgot the password and security question and my icloud locked for security reasons
        i want to reset my password can you try with idict please

      • Edison Wrzosek - 9 years ago

        How about you ask Apple to help, not make sarcastic, stupid requests to a public forum?

  6. bq8user - 9 years ago

    please guys anyone knows how to use this tool
    i need to reset my account please

  7. why you deleted my post?

  8. pelon1071 - 9 years ago

    Last Paragraph I think there’s a typo. *information

Author

Avatar for Benjamin Mayo Benjamin Mayo

Benjamin develops iOS apps professionally and covers Apple news and rumors for 9to5Mac. Listen to Benjamin, every week, on the Happy Hour podcast. Check out his personal blog. Message Benjamin over email or Twitter.