Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Cloud Security Apple

Apple Allegedly Knew of iCloud Brute-Force Vulnerability Since March 93

blottsie writes Apple knew as early as March 2014 of a security hole that left the personal data of iCloud users vulnerable, according to leaked emails between the company and a noted security researcher. In a March 26 email, security researcher Ibrahim Balic tells an Apple official that he's successfully bypassed a security feature designed to prevent "brute-force" attacks. Balic goes on to explain to Apple that he was able to try over 20,000 passwords combinations on any account.
This discussion has been archived. No new comments can be posted.

Apple Allegedly Knew of iCloud Brute-Force Vulnerability Since March

Comments Filter:
  • celebgate (Score:3, Informative)

    by Anonymous Coward on Wednesday September 24, 2014 @05:34PM (#47988741)
    apple really screwed the pooch with celebgate. protecting against brute force attacks is like security 101
    • Re: (Score:3, Interesting)

      by Anonymous Coward

      Don't forget their newest phones that bend. Oh and that great update that removes all phone functionality.

    • Re: (Score:1, Flamebait)

      by bobbied ( 2522392 )

      apple really screwed the pooch with celebgate. protecting against brute force attacks is like security 101

      Seriously? I think the celebrities where/are stupid.

      Who in their right mind takes compromising photos and allow them to be stored on anybody's cloud, while knowing that said pictures would be of great value to the public? Security 101 says, DON'T TAKE THE PICTURES in the first place, but if you insist on doing so, DON'T PUT THEM ON THE INTERNET.

      Apple may have messed up by not notifying their customers of hacking attempts, but you are not thinking if you put things of value in anybody's hands for safe kee

      • Re:celebgate (Score:4, Insightful)

        by Fwipp ( 1473271 ) on Wednesday September 24, 2014 @07:32PM (#47989545)

        Yeah, those stupid celebrities. Why, I'll bet they keep their money in the bank, protected only by a PIN or online password! And park their cars *outside* some times, where anyone passing by could steal it. Heck, even their homes and loved ones are protected by little more than a simple series of alarm/gate codes. They're *definitely* primarily responsible for when criminals target them for deliberate harm.

        P.S: 's/where/were/g'

        • Re:celebgate (Score:5, Insightful)

          by Anonymous Coward on Wednesday September 24, 2014 @08:20PM (#47989855)

          Are you an iDiot or an iFan?

          My bank allows only five mistakes before locking my account or swallowing my card. I have insurance for my car. If someone steals it (and it happened to me once), it's just a minor annoyance. As for my house, even if it's only a lock and an alarm, the moment the alarm goes off, I'll first get a call from ADT, then the police will come to check it out if I don't answer (most alarm companies here pay the local police to treat their call as a priority call).

          As the OP said, protecting against brute force attack is basic security. This is another major screw up from Apple.

          • How easy is it to lock someone's account and access to all of their data in the cloud, by simply throwing 5 bad logon attempts at their account name? How would you feel if someone were to do that every hour, using a botnet, forcing you to go to an apple store, show your ID and have your finger print scanned just to unlock your account?

            Yes, this may be slightly exaggerating the situation, but simply locking someone's account because someone else made 5 attempts to log on to it isn't going to work in practic

          • A multi-billion dollar company told them their photos were "secure". These people are not computer scientists; they cannot judge security on their own. Do you think these people understand the difference in security between their bank and iCloud? In both cases they are trusting in the perceived expertise of those successfully running the services.

            Not even sure what you are replying to either. The parent was clearly not defending Apple.

          • by Fwipp ( 1473271 )

            Yes, that is what I'm getting at. OP is blaming the celebrities for Apple allowing brute force attacks.

      • also, consider that apple automatically backs up phones and this isn't even visible when it's happened (no notice box or anything). I'm not sure if its default or not. so celbs may have thought it was local, not in the cloud.

        look, it's a generational thing. the younger generation snaps naked selfies. you probably would too if you were a girl that age. dont be so quick to judge.
      • I agree, if you do take nude pictures, at least use an old fashioned film roll camera and have the pics developed at a local photo lab.

    • by Revek ( 133289 ) on Wednesday September 24, 2014 @07:41PM (#47989621)

      I know not of this celebgate. Perhaps I know it by a different name?

  • by Anonymous Coward

    Just like all the retail companies with credit card breaches who hit it from the public so it didn't hinder their optimal selling season, Apple did it to protect the launch of their new baby.

    Scumbags

  • by Anonymous Coward

    Apple certainly didn't do anything wrong.

  • by mveloso ( 325617 ) on Wednesday September 24, 2014 @05:43PM (#47988837)

    Has anyone actually shown that this was exploited by anyone?

    • by Anonymous Coward

      No, but who cares.

      This is Apple bashing, so it MUST be true.

      But while we are at it, this has just come through from out IT department at work.

      "A security bulletin has been released advising of a serious vulnerability with the stock web browser that comes with many versions of Android - the Operating System (OS) used on many smartphones and tablets.

      The vulnerability allows a malicious web page to "read cookies and password fields, submit forms, grab keyboard input, or do practically anything else." - Ars Tec

      • by Anonymous Coward

        This is Apple bashing, so it MUST be true.

        If Apple acknowledged and explicitly fixed the brute force flaw how can it not be true?

  • ONE MORE THING... (Score:4, Interesting)

    by Anonymous Coward on Wednesday September 24, 2014 @06:09PM (#47989003)

    I live in the U.S. When I go to Check Order Status in my Apple on-line account (store.apple.com), I find hundreds of orders, none of which are mine, coming from all over Western Europe, dating back to July of this year. I see the items ordered, order numbers, mailing and shipping addresses and e-mail information for them all. I can track shipments, but I can't cancel orders.

    I can tell you the iPhone 5s is still being order in significant quantities, but the iPhone 6 and 6 Plus orders are vastly greater and roughly equal in number, particularly for bulk orders.

    I called Apple about this problem immediately, when I first found out about it, after having received a suspicious e-mail from Apple inquiring about my on-line store experience written in French. After calling two more times and seemingly wasting all of those hours talking with Apple representatives, nothing has changed. More orders just keep showing up in my on-line account. I changed my password right away and already had 2-factor authentication in place. No change. The last Apple rep said they would call me back the next day but never did. There seem to be many layers of escalation and every time I called, the time difference between the U.S. and Europe was claimed to be an impediment. The Apple reps could never see the order information either--I always had to read them examples of order numbers over the phone. A brain-dead support system.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      No worries. You were just using the web page wrong.

    • Re:ONE MORE THING... (Score:4, Informative)

      by sexconker ( 1179573 ) on Wednesday September 24, 2014 @06:47PM (#47989259)

      Create an anonymous Twitter account and start tweeting details and mentioning @Apple . Partially redact them, if you want.
      The only way to get attention from a major corporation is to make a big public stink.

    • by dgatwood ( 11270 )

      I live in the U.S. When I go to Check Order Status in my Apple on-line account (store.apple.com), I find hundreds of orders, none of which are mine, coming from all over Western Europe, dating back to July of this year. I see the items ordered, order numbers, mailing and shipping addresses and e-mail information for them all. I can track shipments, but I can't cancel orders.

      Somebody with a volume purchase plan account probably made a typo when adding administrator email addresses or something.

      Go here [apple.com] and se

    • by mccalli ( 323026 )
      That's a serious one - take it to the exec team. Used to be that if you mailed sjobs@apple.com and you had something valid, you would get a reply. I had my laptops sorted out in this manner.

      It might be the address to use these days is tcook@apple.com, but I'll bet the same system exists.
    • Can you change all the shipping addresses on pending orders to a local mail drop or PO box? How about 300 I street, Sacramento CA (Jail).

      That will get their attention, right quick.

  • Not Brute Force (Score:4, Interesting)

    by abhi_beckert ( 785219 ) on Wednesday September 24, 2014 @06:17PM (#47989053)

    "Balic goes on to explain to Apple that he was able to try over 20,000 passwords combinations on any account."

    20,000 is not a brute force attack. That will only succeed if your password was 3 characters long.

    I find it hard to believe anyone was actually vulnerable to this.

    • Re:Not Brute Force (Score:4, Insightful)

      by Anonymous Coward on Wednesday September 24, 2014 @06:39PM (#47989213)

      I'd say 20,000 attempts is plenty. There have been enough leaks of real passwords from all over the web to compile an extremely accurate list of 20k of the most used passwords. Unless you are computer literate and security concious enough to use a unique, randomly generated password for everything there is a fair chance you've used one of the 20k passwords for something.

    • Re:Not Brute Force (Score:5, Informative)

      by aardvarkjoe ( 156801 ) on Wednesday September 24, 2014 @06:48PM (#47989267)

      20,000 is not a brute force attack. That will only succeed if your password was 3 characters long.

      I find it hard to believe anyone was actually vulnerable to this.

      While you're correct that 20,000 attempts is too small to "brute-force" a password (by trying all combinations of characters), it's plenty to do a dictionary attack. If you can try 20,000 popular passwords on a whole bunch of accounts, you'll almost certainly be able to break some of them.

    • by ljw1004 ( 764174 ) on Wednesday September 24, 2014 @07:59PM (#47989741)

      20,000 is not a brute force attack. That will only succeed if your password was 3 characters long.

      I find it hard to believe anyone was actually vulnerable to this.

      20,000 not brute force?!! Would you call it "subtle and refined"?

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      http://uwnthesis.wordpress.com/2012/08/30/top-10000-passwords-are-used-by-98-8-of-all-users/

      The top 10k passwords are used by 98.8% of all users. 20k would get them plenty!

      • I'd want to see where this information comes from. There are websites where I have no idea why the idiots want a password from me, so it is entirely possible that many users of such a site would use stupid passwords. And use a much safe password for their AppleID password.
    • Re:Not Brute Force (Score:5, Insightful)

      by Eythian ( 552130 ) <robin@kallisti.[ ].nz ['net' in gap]> on Wednesday September 24, 2014 @08:46PM (#47989991) Homepage

      Probably he stopped there. It's enough to be fairly sure there's no brute force protection in place.

    • Given that in most systems allowed characters are number and letters with case sensitivity you only get this far:

      alphanumeric:
      36^2 = 1296
      36^3 = 46656
      so you only get 2

      case sensitive alphanumeric:
      62^2 = 3844
      62^2 = 238328 also only 2

      Not that it matters because like others say you would use this to do a brute force with a dictionary attack, this is still generally termed as brute force though.

  • Monorail (Score:5, Funny)

    by sexconker ( 1179573 ) on Wednesday September 24, 2014 @06:45PM (#47989237)

    Well, sir, there's nothing on Earth
    Like a genuine, bona-fide
    Electrified, six-inch iPhone 6 Plus.
    What'd I say?

    iPhone 6 Plus!
    What's it called?
    iPhone 6 Plus!
    That's right! iPhone 6 Plus!

    iPhone 6 Plus.
    iPhone 6 Plus.
    iPhone 6 Plus.

    I saw those leaks they had me wowed.
    We've made some changes to iCloud.
    Is there a chance the phone could bend?
    Not on your life, my hipster friend.

    What about us brain-dead slobs?
    You'll just worship Mr. Jobs.
    What's the point of that huge bezel?
    Just more space for fans to revel.

    16 gigs is too little space.
    Pay the upcharge to keep pace.
    I swear this phone's your only choice,
    Throw up your hands and raise your voice.

    iPhone 6 Plus!
    What's it called?
    iPhone 6 Plus!
    Once again.
    iPhone 6 Plus!

    But iOS is still shitty and broken.
    Sorry, Slashdot, the mob has spoken.

    iPhone 6 Plus!
    iPhone 6 Plus!
    iPhone 6 Plus!
    iPhone 6 Plus!

    iPho, d'oh!

  • by Anonymous Coward

    The Fappening had nothing to do with brute force attacks and everything to do with security questions answered with publicly available information.

    • Re: (Score:1, Troll)

      by DaHat ( 247651 )

      And you know this how?

      You may be right.... but unless you've got some specific evidence you are speculating just as much as any explicit pointing to this vulnerability as the exploit used in the hack.

  • I wish Apple would hire a security expert, and have him/her work directly for Eddy Que [apple.com].

  • See

    http://www.wired.com/2014/09/eppb-icloud/

  • Ibrahim Balic is the researcher who in the past claimed to have been responsible for uncovering a flaw that brought down Apple's Dev Center. As it turned out, he uncovered a lesser problem around the time a more significant flaw was exploited. It seems that he is a bit of an attention seeker, so I would take anything that comes from him with a grain of salt.

    I can't find the exact links that cover the older story, but here are some related ones:
    http://www.cultofmac.com/24151... [cultofmac.com]
    http://9to5mac.com/2013/08/20/. [9to5mac.com]

  • by EmperorOfCanada ( 1332175 ) on Thursday September 25, 2014 @12:04AM (#47990745)
    I was helping someone with their forgotten iCloud password and we tried a few dozen variations. My incorrect guess was that instead of telling me to go to hell that it was playing some odd game such as letting me try passwords by ignoring me to waste my time.

    It simply never occurred to me that this was a gianormous security hole staring me in the face. What exactly is happening at Apple, there is Bentgazi, iOS 8 killing iPhone 4s and iPhone 5, iOS 8.0.1 killing iPhone 6, apparently a last minute screen switch away from sapphire, plus many subtle other things such as it doesn't seem like they are using liquid steel in their cases, and the whole U2 spam crap, which it turns out they wrote a massive cheque to U2 for. Then there is the collective yawn over the iWatch. But worst of all is the total lack of a substantially new product in years. Basically the business model at apple has been to steamroll all their older product lines with something mind-boggling. But they seem to have stalled. iPhone sales are awesome but if you look at the history of all of Apples previous products they basically had their day in the sun and then were eclipsed by the latest and greatest apple product. iMacs, iPods, iPod touches, Nanos, iPhones, iPads, and now the iWatch. I think that the iWatch will end up sitting alongside the Apple TV, not eclipsing anything.
    • by shrik3 ( 581113 )

      Ok, I'll bite. What, to you, counts as a "substantially new product" from - say - Samsung, HTC, Nokia or any other mobile manufacturer?

      Please exclude any devices that have only bigger X and faster Y and more Z, since that's not substantially new.

      • So you are saying Apple is equivalent to those companies you named? Many of us agree.

      • While they have their flagship products (Galaxy S? for Samsung), those vendors also sell multiple different models targeting multiple market segments, so one thing they've got going is that they've got phones at a lot of different price/feature points.
        If you're talking about Samsung: NFC, Infrared, water resistance/proof, tap, screen mirroring standards, wireless charging (yes, Apple has NFC too but it's also a year later).

        I believe somebody (Song?) was looking into cool tech like 3d/spatial scanning etc.

        Fo

      • By substantially new I mean something like the difference between an iPod and an iPhone, that was a huge leap which was actually derided at the time; the general opinion was that apple should stick to music and leave the phones to the big boys like Motorola. My basic point is that each Apple product has faded after a great new leap came out. The macbook business is still huge but pales in comparison to the iPhone business as is the iPod business. So assuming that iPhones will slowly fade at some point, what
  • "While the exploit Balic says he reported to Apple shares a stark resemblance to the exploit allegedly used in the so-called "Celebgate" hack, it is currently unclear if they are the same vulnerability."

    Not even directly said in the article, only in the screenshots of the emails: "Same issue consists with other companies too", "found the same issue with Google "

  • yeah it's good job for hacker, can unlock account icloud to many actrees BOX Office and we can see the picture. if some people can cracking icloud how about another feature from apple?

According to the latest official figures, 43% of all statistics are totally worthless.

Working...