Researcher accuses Apple of ignoring iCloud brute-force attack for 6 months
A security researcher who discovered a brute-force attack against Apple's iCloud service in March -- similar to the "iBrute" vulnerability that surfaced in conjunction with the celebrity photo hacking scandal earlier this month -- says that the company refused to address the flaw for months after he reported it.
Screenshots courtesy of The Daily Dot
Computer security expert Ibrahim Balic first notified members of Apple's product security team of the vulnerability in late March, according to copies of correspondence that Balic provided to The Daily Dot. At the time, Balic told company representatives that he had been able to test as many as 20,000 passwords against specific accounts.
Apple employees were still working with Balic to assess the situation as late as May, when they appeared to discount its severity.
"Using the information that you provided, it appears that it would take an extraordinarily long time to find a valid authentication token for an account," one Apple engineer wrote back to Balic. "Do you believe that you have a method for accessing an account in a reasonably short amount of time?"
It is unclear what relationship the bug that Balic discovered --?which he believes went unresolved -- has to the iBrute tool that allowed a similar attack against Find my iPhone. Apple later denied that the Find my iPhone vulnerability had been used in the now-infamous photo scandal, saying instead that it was the result of a "targeted attack" that likely involved years of social engineering against the targets.
Screenshots courtesy of The Daily Dot
Computer security expert Ibrahim Balic first notified members of Apple's product security team of the vulnerability in late March, according to copies of correspondence that Balic provided to The Daily Dot. At the time, Balic told company representatives that he had been able to test as many as 20,000 passwords against specific accounts.
Apple employees were still working with Balic to assess the situation as late as May, when they appeared to discount its severity.
"Using the information that you provided, it appears that it would take an extraordinarily long time to find a valid authentication token for an account," one Apple engineer wrote back to Balic. "Do you believe that you have a method for accessing an account in a reasonably short amount of time?"
It is unclear what relationship the bug that Balic discovered --?which he believes went unresolved -- has to the iBrute tool that allowed a similar attack against Find my iPhone. Apple later denied that the Find my iPhone vulnerability had been used in the now-infamous photo scandal, saying instead that it was the result of a "targeted attack" that likely involved years of social engineering against the targets.
Comments
I'm not sure that's exactly what Apple said. As I recall they used some very specific wording that was perhaps meant to give that impression, but they did not issue a denial.
And there is still no proof of exactly how those few celeb accounts were accessed to know if this flaw was s factor. Heck we don't even know how many accounts there were that were actually iCloud ones
Supposedly it was this:
"Apple later denied that the Find my iPhone vulnerability had been used in the now-infamous photo scandal, saying instead that it was the result of a "targeted attack" that likely involved years of social engineering against the targets."
I'm not sure that's exactly what Apple said. As I recall they used some very specific wording that was perhaps meant to give that impression, but they did not issue a denial.
imo people need to stop thinking whatever Apple says is perfect and always the truth....
that being said, since the security issues are now on the CEO radar and will get resolved, we may get a chance to add more Apple shares after its being dump on FUD.
Did nobody read the e-mails?
He clearly states that the same vulnerability also worked on Google. He said it in both letters. He also stated that Google had gotten back to him either.
Funny how everyone seems to be missing this part of his letters. It's like as soon as they see the word "Apple" they put on blinders.
Edited: He stated Google did respond. I was thinking of something else.
Did nobody read the e-mails?
He clearly states that the same vulnerability also worked on Google. He said it in both letters. He also stated that Google hadn't gotten back to him either.
Funny how everyone seems to be missing this part of his letters. It's like as soon as they see the word "Apple" they put on blinders.
No he said that they did get back to him.
Hmm. The hacker guy wanted a lockout - but I think Apple have a timeout, which is better. Nobody wants to be locked out for ever.
So basically this guy is talking crap. Basically it would take years to test the 20,000 passwords.
No he said that they did get back to him.
Correct, I switched them around and edited my post.
However, that still doesn't change anything. He claims Google had this flaw as well. And he claimed in twice. So how come nobody is talking about Google having an exploit? Why hasn't he published his Google e-mails as well as the Apple e-mails?
Unimportant individuals trying to achieve some level of importance before vaguely-qualified peers. Goal = income.
I am Spartacus!
From the headline title, one would assume that Apple never engaged on the issue but in fact, the article says that Apple was working with Balic and asked him if he could access an account in a reasonably short time. The article doesn't detail what if anything he said back to Apple.
The goal is not to tell the truth. It's to create a story.
People seem to be under the impression that the password system has no time caps, it does, and always has, which is why dictionary attacks weren't ever really a feasible vector using the Find My iPhone user/pass system. It wasn't a surprise to anyone that it wasn't part of the photo leaks.
Huh?
Ridiculous stories about Apple in the past few days. Sigh. What else is new....
The e-mails indicate Google already told him how they would address it don't they? AFAIK Google put similar fixes in place sometime back, and probably prompted by Balic's research IMHO.
He's been around awhile and is well-known to both companies. He's the same one who crashed Apple's developer portal and Google Play. Not once either but twice "just to be sure".