Apple closes leak that made iCloud vulnerable to brute force attacks

A developer dubbed Pr0x13 has developed a tool that uses a brute force attack to attempt to retrieve iCloud passwords. The tool would work despite Apple having built-in security for it. By now the problem would have been solved.

Apple itself has not released anything about the vulnerability, but Pr0x13’s tool is said to have stopped working, suggesting that the company has fixed the problems. On its Github page, the developer has posted code online that would initially circumvent the security in iCloud to prevent brute force attacks. The maker calls the bug that made that possible “painfully obvious”.

It’s unclear if in the short time the tool, which goes by the name iDict, has worked and data from iCloud users has been stolen. Social networking sites such as Twitter and Reddit have reported that iDict functions as described, making it likely that data has been stolen. It is now reported that the tool no longer works.

To work with iDict, users had to know which email address belonged to the iCloud account to be hacked, Business Insider reports. Then the tool tries a list of 500 common passwords. For that reason, not every account is vulnerable: if the password used is not on the list, iDict cannot break in. However, the tool could easily be provided with a longer list of possible passwords.

Apple has previously been criticized for its susceptibility to brute force attacks. The vulnerability meant that users could guess unlimited passwords for iCloud. The bug emerged after photos of American actresses and other celebrities had been stolen from iCloud accounts. Apple then took measures, but these could apparently be circumvented.