Apple Allegedly Knew of iCloud Brute-Force Vulnerability Since March 93
blottsie writes Apple knew as early as March 2014 of a security hole that left the personal data of iCloud users vulnerable, according to leaked emails between the company and a noted security researcher. In a March 26 email, security researcher Ibrahim Balic tells an Apple official that he's successfully bypassed a security feature designed to prevent "brute-force" attacks. Balic goes on to explain to Apple that he was able to try over 20,000 passwords combinations on any account.
celebgate (Score:3, Informative)
Re: (Score:3, Interesting)
Don't forget their newest phones that bend. Oh and that great update that removes all phone functionality.
Re: (Score:1)
Re: (Score:1, Flamebait)
apple really screwed the pooch with celebgate. protecting against brute force attacks is like security 101
Seriously? I think the celebrities where/are stupid.
Who in their right mind takes compromising photos and allow them to be stored on anybody's cloud, while knowing that said pictures would be of great value to the public? Security 101 says, DON'T TAKE THE PICTURES in the first place, but if you insist on doing so, DON'T PUT THEM ON THE INTERNET.
Apple may have messed up by not notifying their customers of hacking attempts, but you are not thinking if you put things of value in anybody's hands for safe kee
Re:celebgate (Score:4, Insightful)
Yeah, those stupid celebrities. Why, I'll bet they keep their money in the bank, protected only by a PIN or online password! And park their cars *outside* some times, where anyone passing by could steal it. Heck, even their homes and loved ones are protected by little more than a simple series of alarm/gate codes. They're *definitely* primarily responsible for when criminals target them for deliberate harm.
P.S: 's/where/were/g'
Re:celebgate (Score:5, Insightful)
Are you an iDiot or an iFan?
My bank allows only five mistakes before locking my account or swallowing my card. I have insurance for my car. If someone steals it (and it happened to me once), it's just a minor annoyance. As for my house, even if it's only a lock and an alarm, the moment the alarm goes off, I'll first get a call from ADT, then the police will come to check it out if I don't answer (most alarm companies here pay the local police to treat their call as a priority call).
As the OP said, protecting against brute force attack is basic security. This is another major screw up from Apple.
Denial of service (Score:2)
How easy is it to lock someone's account and access to all of their data in the cloud, by simply throwing 5 bad logon attempts at their account name? How would you feel if someone were to do that every hour, using a botnet, forcing you to go to an apple store, show your ID and have your finger print scanned just to unlock your account?
Yes, this may be slightly exaggerating the situation, but simply locking someone's account because someone else made 5 attempts to log on to it isn't going to work in practic
Re: (Score:2)
A multi-billion dollar company told them their photos were "secure". These people are not computer scientists; they cannot judge security on their own. Do you think these people understand the difference in security between their bank and iCloud? In both cases they are trusting in the perceived expertise of those successfully running the services.
Not even sure what you are replying to either. The parent was clearly not defending Apple.
Re: (Score:2)
Yes, that is what I'm getting at. OP is blaming the celebrities for Apple allowing brute force attacks.
Re: (Score:1)
"Banking is protected by law, any lost money will be reimbursed."
Up to $250,000. After that, you're shit out of luck.
Kinda.... (Score:1)
"Banking is protected by law, any lost money will be reimbursed."
The controlling federal laws are the Fair Credit Billing Act (FCBA) and the Electronic Fund Transfer Act (EFTA)( (15 U.S.C. 1693 et seq.). If you report an ATM or debit card missing before someone uses it, the EFTA says you are not responsible for any unauthorized transactions.
However, unlike credit cards, if someone makes unauthorized use of your debit or ATM card and if you do not learn of the transactions and report them after 2 business da
Re: (Score:2)
My point is that bobbied was blaming the celebrities for trusting a password to secure photos, which doesn't actually make any sense of him. Perhaps it wasn't clear in my post, but I also blame Apple for allowing such an obvious security hole.
Re: (Score:2)
look, it's a generational thing. the younger generation snaps naked selfies. you probably would too if you were a girl that age. dont be so quick to judge.
Re: (Score:2)
Your bank account info is private by nature an icloud account is not. People will know your email.
Apple must maintain a balance between security and usability. If Apple were stupid enough to use a 5, 10 or even 20 attempt then cutoff system it would simply create a huge weakness for DOS attacks. Having a cool off period after multiple fails is the best strategy it makes brute force attacks useless as I could take years to get in. Alerting people after failed attempts is useless. Any webmaster knows that eve
Re: (Score:1)
I agree, if you do take nude pictures, at least use an old fashioned film roll camera and have the pics developed at a local photo lab.
Re: (Score:2)
Re:celebgate (Score:4, Funny)
I know not of this celebgate. Perhaps I know it by a different name?
Re:celebgate (Score:4, Informative)
The Fappening.
Shady business is best business! (Score:1)
Just like all the retail companies with credit card breaches who hit it from the public so it didn't hinder their optimal selling season, Apple did it to protect the launch of their new baby.
Scumbags
He was holding it wrong (Score:1)
Apple certainly didn't do anything wrong.
Re:He was holding it wrong (Score:4, Funny)
No, he was entering passwords wrong. You're only supposed to enter one password not 20,000. The latter is not part of crApple's UX design.
Re:He was holding it wrong (Score:4, Funny)
Exploited in real life? (Score:4, Interesting)
Has anyone actually shown that this was exploited by anyone?
Re:Exploited in real life? (Score:5, Informative)
Re:Exploited in real life? (Score:4, Informative)
There are forum posts detailing how it was done and offering to do it if people can supply email addresses. It worked by brute forcing passwords, which for celebs isn't hard because you can find the name of their boyfriend or pet with Google. Then software from Elcomsoft was used to download the data from icloud, including deleted images that were in old backups etc.
Expect it all to be spelled out in detail in the inevitable lawsuits. It will be interesting to see what the dignity of a celebrity is worth.
Re: (Score:2)
It will be interesting to see what the dignity of a celebrity is worth.
The fact that there was even a story about this shows that their dignity is worth vastly more than yours or mine. Not that I think photos have anything to do with dignity.
Re: (Score:2)
Anonymous Coward owes me a keyboard because I just blew coffee all over mine.
Re: (Score:2)
I would not be surprised non-technical people and not that smart people have fallen for such schemes.
A well-crafted phishing attack like this appears to be is going to snare a certain amount of people regardless of their intelligence or computer expertise. It's impossible to be viligant 100% of the time at any task, much less security.
Also I think the overuse of notifications and popup alerts actively condition users to respond without really giving it a whole lot of concious thought. I've caught myself clicking these alerts with "how do I get rid of this annoyance" rather than "what are the security impli
Re: (Score:2)
Re: (Score:1)
No, but who cares.
This is Apple bashing, so it MUST be true.
But while we are at it, this has just come through from out IT department at work.
"A security bulletin has been released advising of a serious vulnerability with the stock web browser that comes with many versions of Android - the Operating System (OS) used on many smartphones and tablets.
The vulnerability allows a malicious web page to "read cookies and password fields, submit forms, grab keyboard input, or do practically anything else." - Ars Tec
Re: (Score:1)
This is Apple bashing, so it MUST be true.
If Apple acknowledged and explicitly fixed the brute force flaw how can it not be true?
ONE MORE THING... (Score:4, Interesting)
I live in the U.S. When I go to Check Order Status in my Apple on-line account (store.apple.com), I find hundreds of orders, none of which are mine, coming from all over Western Europe, dating back to July of this year. I see the items ordered, order numbers, mailing and shipping addresses and e-mail information for them all. I can track shipments, but I can't cancel orders.
I can tell you the iPhone 5s is still being order in significant quantities, but the iPhone 6 and 6 Plus orders are vastly greater and roughly equal in number, particularly for bulk orders.
I called Apple about this problem immediately, when I first found out about it, after having received a suspicious e-mail from Apple inquiring about my on-line store experience written in French. After calling two more times and seemingly wasting all of those hours talking with Apple representatives, nothing has changed. More orders just keep showing up in my on-line account. I changed my password right away and already had 2-factor authentication in place. No change. The last Apple rep said they would call me back the next day but never did. There seem to be many layers of escalation and every time I called, the time difference between the U.S. and Europe was claimed to be an impediment. The Apple reps could never see the order information either--I always had to read them examples of order numbers over the phone. A brain-dead support system.
Re: (Score:2, Funny)
No worries. You were just using the web page wrong.
Re:ONE MORE THING... (Score:4, Informative)
Create an anonymous Twitter account and start tweeting details and mentioning @Apple . Partially redact them, if you want.
The only way to get attention from a major corporation is to make a big public stink.
Re: (Score:2)
Somebody with a volume purchase plan account probably made a typo when adding administrator email addresses or something.
Go here [apple.com] and se
Re: (Score:2)
Hmm. Maybe your Apple ID is associated with some magic sentinel value, like NULL. :-D
File a bug report at bugreport.apple.com.
Re: (Score:2)
It might be the address to use these days is tcook@apple.com, but I'll bet the same system exists.
Re: (Score:2)
Can you change all the shipping addresses on pending orders to a local mail drop or PO box? How about 300 I street, Sacramento CA (Jail).
That will get their attention, right quick.
Not Brute Force (Score:4, Interesting)
"Balic goes on to explain to Apple that he was able to try over 20,000 passwords combinations on any account."
20,000 is not a brute force attack. That will only succeed if your password was 3 characters long.
I find it hard to believe anyone was actually vulnerable to this.
Re:Not Brute Force (Score:4, Insightful)
I'd say 20,000 attempts is plenty. There have been enough leaks of real passwords from all over the web to compile an extremely accurate list of 20k of the most used passwords. Unless you are computer literate and security concious enough to use a unique, randomly generated password for everything there is a fair chance you've used one of the 20k passwords for something.
Re:Not Brute Force (Score:5, Informative)
20,000 is not a brute force attack. That will only succeed if your password was 3 characters long.
I find it hard to believe anyone was actually vulnerable to this.
While you're correct that 20,000 attempts is too small to "brute-force" a password (by trying all combinations of characters), it's plenty to do a dictionary attack. If you can try 20,000 popular passwords on a whole bunch of accounts, you'll almost certainly be able to break some of them.
Re:Not Brute Force (Score:5, Insightful)
Pretty sure one of the top 20,000 passwords on those lists will get you into 80% of the accounts out there.
Re:Not Brute Force (Score:4, Funny)
20,000 is not a brute force attack. That will only succeed if your password was 3 characters long.
I find it hard to believe anyone was actually vulnerable to this.
20,000 not brute force?!! Would you call it "subtle and refined"?
Re: (Score:2)
Re: (Score:3, Interesting)
http://uwnthesis.wordpress.com/2012/08/30/top-10000-passwords-are-used-by-98-8-of-all-users/
The top 10k passwords are used by 98.8% of all users. 20k would get them plenty!
Re: (Score:2)
Re: (Score:1)
These are MacIdiots (iIdiots?) we're talking about.
Re:Not Brute Force (Score:5, Insightful)
Probably he stopped there. It's enough to be fairly sure there's no brute force protection in place.
More like 2 characters long (Score:2)
Given that in most systems allowed characters are number and letters with case sensitivity you only get this far:
alphanumeric:
36^2 = 1296
36^3 = 46656
so you only get 2
case sensitive alphanumeric:
62^2 = 3844
62^2 = 238328 also only 2
Not that it matters because like others say you would use this to do a brute force with a dictionary attack, this is still generally termed as brute force though.
Monorail (Score:5, Funny)
Well, sir, there's nothing on Earth
Like a genuine, bona-fide
Electrified, six-inch iPhone 6 Plus.
What'd I say?
iPhone 6 Plus!
What's it called?
iPhone 6 Plus!
That's right! iPhone 6 Plus!
iPhone 6 Plus.
iPhone 6 Plus.
iPhone 6 Plus.
I saw those leaks they had me wowed.
We've made some changes to iCloud.
Is there a chance the phone could bend?
Not on your life, my hipster friend.
What about us brain-dead slobs?
You'll just worship Mr. Jobs.
What's the point of that huge bezel?
Just more space for fans to revel.
16 gigs is too little space.
Pay the upcharge to keep pace.
I swear this phone's your only choice,
Throw up your hands and raise your voice.
iPhone 6 Plus!
What's it called?
iPhone 6 Plus!
Once again.
iPhone 6 Plus!
But iOS is still shitty and broken.
Sorry, Slashdot, the mob has spoken.
iPhone 6 Plus!
iPhone 6 Plus!
iPhone 6 Plus!
iPhone 6 Plus!
iPho, d'oh!
Re: (Score:1)
Pretty good.
What's it like being a homophobe?
And ... ? (Score:1)
The Fappening had nothing to do with brute force attacks and everything to do with security questions answered with publicly available information.
Re: (Score:1, Troll)
And you know this how?
You may be right.... but unless you've got some specific evidence you are speculating just as much as any explicit pointing to this vulnerability as the exploit used in the hack.
Hire a security expert (Score:1)
I wish Apple would hire a security expert, and have him/her work directly for Eddy Que [apple.com].
iBrute + EPPB Police Tool = mimicks iOS device (Score:1)
See
http://www.wired.com/2014/09/eppb-icloud/
Ibrahim Balic... (Score:2)
Ibrahim Balic is the researcher who in the past claimed to have been responsible for uncovering a flaw that brought down Apple's Dev Center. As it turned out, he uncovered a lesser problem around the time a more significant flaw was exploited. It seems that he is a bit of an attention seeker, so I would take anything that comes from him with a grain of salt.
I can't find the exact links that cover the older story, but here are some related ones:
http://www.cultofmac.com/24151... [cultofmac.com]
http://9to5mac.com/2013/08/20/. [9to5mac.com]
I stumbled on this one a while ago (Score:3, Interesting)
It simply never occurred to me that this was a gianormous security hole staring me in the face. What exactly is happening at Apple, there is Bentgazi, iOS 8 killing iPhone 4s and iPhone 5, iOS 8.0.1 killing iPhone 6, apparently a last minute screen switch away from sapphire, plus many subtle other things such as it doesn't seem like they are using liquid steel in their cases, and the whole U2 spam crap, which it turns out they wrote a massive cheque to U2 for. Then there is the collective yawn over the iWatch. But worst of all is the total lack of a substantially new product in years. Basically the business model at apple has been to steamroll all their older product lines with something mind-boggling. But they seem to have stalled. iPhone sales are awesome but if you look at the history of all of Apples previous products they basically had their day in the sun and then were eclipsed by the latest and greatest apple product. iMacs, iPods, iPod touches, Nanos, iPhones, iPads, and now the iWatch. I think that the iWatch will end up sitting alongside the Apple TV, not eclipsing anything.
Re: (Score:2)
Ok, I'll bite. What, to you, counts as a "substantially new product" from - say - Samsung, HTC, Nokia or any other mobile manufacturer?
Please exclude any devices that have only bigger X and faster Y and more Z, since that's not substantially new.
Re: (Score:1)
So you are saying Apple is equivalent to those companies you named? Many of us agree.
Different marketing (Score:1)
While they have their flagship products (Galaxy S? for Samsung), those vendors also sell multiple different models targeting multiple market segments, so one thing they've got going is that they've got phones at a lot of different price/feature points.
If you're talking about Samsung: NFC, Infrared, water resistance/proof, tap, screen mirroring standards, wireless charging (yes, Apple has NFC too but it's also a year later).
I believe somebody (Song?) was looking into cool tech like 3d/spatial scanning etc.
Fo
Re: (Score:2)
RTFA (Score:2)
Not even directly said in the article, only in the screenshots of the emails: "Same issue consists with other companies too", "found the same issue with Google "
Good job (Score:1)