Researcher accuses Apple of ignoring iCloud brute-force attack for 6 months

135

Comments

  • Reply 41 of 94
    Quote:
    Originally Posted by charlituna View Post



    So they didnt ignore it. They were told about it. They responded. Just because tthey didn't put in s lockout doesn't mean they were doing nothing. Beside a lockout is a placebo in many respects because someone can still use piss poor security questions or phish for passwords.



    And there is still no proof of exactly how those few celeb accounts were accessed to know if this flaw was s factor. Heck we don't even know how many accounts there were that were actually iCloud ones



    I developed my own web framework that powers all of the websites for my clients websites. This framework has been in development for 10 years. It's never been breached. But that said, it still took me only ONE HOUR to implement even stronger login form security a few months ago where login attempts are not accepted closer than 5 seconds apart for any given user. That dramatically increases the amount of time to brute-force logins. One hour. Why did Apple do nothing for six months?

  • Reply 42 of 94
    Quote:

    Originally Posted by Gatorguy View Post





    Good article and explanation. Thx.



    "7. Apple accounts seem particularly vulnerable because of the recovery process, password requirements and ability to detect if an email address has an associated iCloud account. The recovery process is broken up into steps and will fail at each point. While Apple do not reveal if an email address is a valid iCloud address as part of the recover process, they do reveal if it is valid or not if you attempt to sign up a new account using the same email – so verification (or brute force attempts) are simple. The second step is verifying the date of birth and it will pass or fail based on that data alone so can be guessed, while the last step are the two security questions. It would be a good idea for Apple to kill the interface on signup that shows new users if their email account is available to use as an iCloud account or not. It would also be a good idea to make the recovery process one big step where all data is validated at once and the user is not given a specific error message. It would also be wise to attach rate limits and strict lockout on this process on a per-account basis.



    Being able to POST an email address to https://appleid.apple.com/account/validation/appleid and getting back a response indicating if it is a valid account or not, with little to no rate limiting, is a bug."



    FWIW these are flaws that Apple has since addressed in the past couple of weeks aren't they?

     

    You really think someone "brute force" determined a email address, even by doing this? You don't think Apple also has logs in the backend of this and they'll find kinda fishy thousands of attempts on similar type email name, all failing, coming from one address (even if you spread it, the pattern of attempts will emerge). Brute force attacks are usually never done by the network because they'll be detected in the logs themselves before the very high number of attemps required to determine the value (even if the number of attempts is not limited).

     

    If you are saying that this "bug" would allow the attacker to whittle down the email address among a group of 4- 5 plausible ones. A lot of email address are kind of similar. Well, then I'd agree. But, calling that a brute force attack is a stretch. If someone has a email like [email protected] (bozo not being their real name or their job), I doubt anyone would find it with such a "bug" unless they post it somewhere else.

     

    Your user name to be impossible to find is only possible if you only use that email account for icloud, and nothing else (that way, unless somebody does phishing claiming to be Apple, and you respond, it will never come out); and the  user name has no relationship to you in any easy way : it's not your job, your dog, your favorite restaurant and certainly not your name.  Of course if you dog is tintin and your user name is mastertintin, you're probably safe ;-).

  • Reply 43 of 94
    gatorguy wrote: »
    The e-mails indicate Google already told him how they would address it don't they? AFAIK Google put similar fixes in place sometime back, and probably prompted by Balic's research IMHO.

    He's been around awhile and is well-known to both companies. He's the same one who crashed Apple's developer portal and Google Play. Not once either but twice "just to be sure".
    Where is your proof that Google said they would address it? You have none because he hasn't produced the Google e-mails. That right there speaks volumes.

    As far as you know? Please provide a link or source to show Google implemented a fix. Likewise provide proof those fixes were "probably prompted" by Balics e-mail.


    You are simply talking out of your ass and making huge assumptions without facts to back them up. The more things change.....
  • Reply 44 of 94
    Lo and behold, [URL=http://arstechnica.com/security/2014/09/apple-knew-of-icloud-api-weakness-months-before-celeb-photo-leak-broke/?comments=1]ArsTechnica has jumped on the bandwagon[/URL] and included "celebrity photo leak" in it's headline:

    [SIZE=4]
    Apple knew of iCloud API weakness months before celeb photo leak broke[/SIZE]
    [I]Security researcher reported brute force attacks were possible in March.[/I]

    There are others that are questioning the inclusion of Apple being at the forefront of the celeb leak, and someone else is claiming in the comments area that he also contacted Apple and received a reply...

    [quote="[url=http://arstechnica.com/civis/viewtopic.php?p=27655765#p27655765]robert.walter[/url]"]I too heard back from Brandon after reporting a suspected weakness with the regular predictability of form of the passwords generated by the iCloud keychain "xxx-xxx-xxx-xxx"... takes a lot to ruffle this guy's feathers.

    The crux of my concern:

    "By having these three rigid elements of predictability:
    1. fixed-length 15-character p/w;
    2. fixed-location of hyphen separators;
    3. fixed-definition of hyphens as separators;
    4. no option to choose type or quantity of non-alpha/-numeric characters, or even randomly generated type and quantity of same"

    His responses to me:

    "After reviewing your report, we do not see any security implications. While the regular spacing of the hyphens does give a theoretical attacker a tiny advantage, the overall gains of having a 15-character password with significant entropy vastly outweigh the slight disadvantage made in the name of usability."

    "We have reviewed your additional information and our original determination still stands. If you wish, you can still generate your own password."

    p.s. I my concern escalated it to Tim Cook ... as he's been busy lately, I understand his not yet replying.[/quote]
  • Reply 45 of 94
    foggyhill wrote: »
    You really think someone "brute force" determined a email address, even by doing this? You don't think Apple also has logs in the backend of this and they'll find kinda fishy thousands of attempts on similar type email name, all failing, coming from one address (even if you spread it, the pattern of attempts will emerge). Brute force attacks are usually never done by the network because they'll be detected in the logs themselves before the very high number of attemps required to determine the value (even if the number of attempts is not limited).

    If you are saying that this "bug" would allow the attacker to whittle down the email address among a group of 4- 5 plausible ones. A lot of email address are kind of similar. Well, then I'd agree. But, calling that a brute force attack is a stretch. If someone has a email like [email protected] (bozo not being their real name or their job), I doubt anyone would find it with such a "bug" unless they post it somewhere else.

    Your user name to be impossible to find is only possible if you only use that email account for icloud, and nothing else (that way, unless somebody does phishing claiming to be Apple, and you respond, it will never come out); and the  user name has no relationship to you in any easy way : it's not your job, your dog, your favorite restaurant and certainly not your name.  Of course if you dog is tintin and your user name is mastertintin, you're probably safe ;-).

    ...this can not be said often enough!
  • Reply 46 of 94
    Quote:
    Originally Posted by Gatorguy View Post





    ...by correctly answering security questions. The actual account holder wasn't advised of the failed log-in attempts or the fact that the password was recovered. If they had been many of the hacks may never have occurred.



    How did you obtain a password by answering security questions? That doesn't make any sense. When I put in the wrong password a few times I need to answer security questions. If I answer it right I got the chance to try again. It didn't give me any password, or let me in itself.

    You may obtain the password by calling iCloud support personally, pretending to be the owner but you need more than security password to convince those guys.

  • Reply 47 of 94
    Quote:

    Originally Posted by coolfactor View Post

     



    I developed my own web framework that powers all of the websites for my clients websites. This framework has been in development for 10 years. It's never been breached. But that said, it still took me only ONE HOUR to implement even stronger login form security a few months ago where login attempts are not accepted closer than 5 seconds apart for any given user. That dramatically increases the amount of time to brute-force logins. One hour. Why did Apple do nothing for six months?


     

    That's something I did in 1996 on my web site (unix machines were doing this in the 1980s).

     

    Brute force attacks accross the net is very rare because they show up in the logs quick.  You are detected.

     

    This could work without brute force because of the low count of attempt you actually need to get a hit. This is not a password, there are strong patterns in user names. Many emails are done in the same way, variants using first and last name. They probably only need to test 4-5 to actually get the email of most people.

     

    Even limiting attempt rates alone doesn't work if you need so little tries to get things right. The only thing that can help in this case is advising the user that someone is trying to log into their account.

     

    If Apple did it that way it is probably because checking ID has a usefullness to the user in some way.

  • Reply 48 of 94
    gatorguygatorguy Posts: 24,176member
    Where is your proof that Google said they would address it? You have none because he hasn't produced the Google e-mails. That right there speaks volumes.

    As far as you know? Please provide a link or source to show Google implemented a fix. Likewise provide proof those fixes were "probably prompted" by Balics e-mail.


    You are simply talking out of your ass and making huge assumptions without facts to back them up. The more things change.....
    On March 26th he wrote " I found the same issue with Google and I have got my response from them.". You are correct that he does not say Google is making any change. A few weeks later tho. . .
    http://googleonlinesecurity.blogspot.com/2014/06/google-drive-update-to-protect-to.html

    Other security changes include:
    http://googleonlinesecurity.blogspot.com/2014/04/new-security-measures-will-affect-older.html

    https://support.google.com/mail/answer/43692?hl=en
  • Reply 49 of 94
    dewmedewme Posts: 5,328member
    Refused? Ignored?

    These are words rooted in malicious intent.

    At the very worst you could say the Apple failed to recognize the severity or potential of the threat. The fact that they engaged in a dialog with the security researcher takes "ignored" off the table.
  • Reply 50 of 94
    Quote:
    Originally Posted by EMoeller View Post

     

    So anyone have more information on the Shellshock vulnerability?

     

    http://www.macworld.com/article/2687857/bigger-than-heartbleed-shellshock-flaw-leaves-os-x-linux-more-open-to-attack.html


    Shhhh, silence! Here at appleinsider will just pretend it doesn't exist! Maybe if we just stick our heads in the sand it will go away!

  • Reply 51 of 94
    Quote:

    Originally Posted by NelsonX View Post

     

    Shhhh, silence! Here at appleinsider will just pretend it doesn't exist! Maybe if we just stick our heads in the sand it will go away!


     

    You are sooo funny, considering 90% of Android users have unpatched security hole 20 times bigger that kiddie scripter can actually use (not the NSA...) with no hope of every being fixed in most cases. 

     

    The fun thing with Apple is if a real security flaw actually comes out there is a good chance they will get a fix promptly.  That's the fact of the matter. In Google's case, 98% of people will be exposed for months to years (or forever). You just have to see how slowly updates spread to users.

     

    BTW,  I still got a fix on my 3GS early this year (5 year old phone) even though its no longer officially supported.

  • Reply 52 of 94
    jfc1138jfc1138 Posts: 3,090member
    Quote:

    Originally Posted by digitalclips View Post





    I'd bet most if not all were phishing exploitations in the so called celebrity hacks.



    Indeed that's so much easier, and specific. Heck in all my inconsequentiality I get phished on a regular basis, odds are just because I've got an email account with an "edu" ending.

  • Reply 53 of 94
    Quote:

    Originally Posted by AdonisSMU View Post

     

    The goal is not to tell the truth. It's to create a story. 


    Yep.

  • Reply 54 of 94
    rogifanrogifan Posts: 10,669member
    dewme wrote: »
    Refused? Ignored?

    These are words rooted in malicious intent.

    At the very worst you could say the Apple failed to recognize the severity or potential of the threat. The fact that they engaged in a dialog with the security researcher takes "ignored" off the table.
    It shouldn't take six months to fix though. Benedict Evans (who is usually pretty pro Apple) tweeted that this was unacceptible and wondered why Apple is so keen on owning the fundamental technology in their products except when it comes to cloud. Tim Cook should hire someone with lots of experience in this area to run their cloud business. It needs more attention than it's currently getting.
  • Reply 55 of 94
    Apple has never given such reports sufficient attention and action. They need to change.
  • Reply 56 of 94
    And now there's this.

    http://bit.ly/1puhpKu
  • Reply 57 of 94
    jonljonl Posts: 210member
    Quote:

    Originally Posted by Gatorguy View Post



    "In his first interview on the subject, Apple Chief Executive Tim Cook said celebrities' iCloud accounts were compromised when hackers correctly answered security questions to obtain their passwords, or when they were victimized by a phishing scam to obtain user IDs and passwords."

    And that's what kills me. Just a couple weeks ago, I verified I could reset my password and pwn my Apple ID merely by answering security questions along the lines of "What street did you live on as a child?" People unsophisticated about security would have answered straightforward questions truthfully instead of lying and treating them as secondary strong passwords, and they were set up to fail. Anyone who knows a person well or has researched them well enough could do this. It's really stunningly unbelievable that there was no secondary verification. I can't register onto even the most rinky dink web site without confirming in email, and Apple didn't even do that.

  • Reply 58 of 94
    jonljonl Posts: 210member
    Quote:

    Originally Posted by matrix07 View Post

     

    How did you obtain a password by answering security questions? That doesn't make any sense. When I put in the wrong password a few times I need to answer security questions. If I answer it right I got the chance to try again. It didn't give me any password, or let me in itself.

    You may obtain the password by calling iCloud support personally, pretending to be the owner but you need more than security password to convince those guys.


     

    You don't obtain the password. You reset it and create a new one. As of a couple weeks ago when I tested it, Apple still wasn't requiring any confirmation beyond answering the simple, straightforward questions that people needed to treat as secondary strong passwords. IOW, they needed to lie and remember their lies when setting up their account. I expect many, many people didn't realize this and answered truthfully, and this is a problem for non-obscure questions like "What street did you live on as a child?"

  • Reply 59 of 94
    muppetrymuppetry Posts: 3,331member
    Quote:

    Originally Posted by dasanman69 View Post



    And now there's this.



    http://bit.ly/1puhpKu

     

    Really? There's a vulnerability if an app asks for your login details to a website account and you provide them? BGR really is a sad excuse for a news website.

  • Reply 60 of 94
    jfc1138jfc1138 Posts: 3,090member
    Quote:
    Originally Posted by jonl View Post

     

     

    You don't obtain the password. You reset it and create a new one. As of a couple weeks ago when I tested it, Apple still wasn't requiring any confirmation beyond answering the simple, straightforward questions that people needed to treat as secondary strong passwords. IOW, they needed to lie and remember their lies when setting up their account. I expect many, many people didn't realize this and answered truthfully, and this is a problem for non-obscure questions like "What street did you live on as a child?"




    Agreed, I've always lied on those questions. And that predates public search engines that can reveal most anything.

     

    ETA: I was recently amazed at what get's stored. I was applying for a duplicate birth certificate and one of the security questions was a list of streets I'd lived on that had one I'd resided on in the mid 1970's! I was supposed to pick the one (or none) I hadn't lived on. Now that was a Yikes moment for sure. Other than the feds and tax returns I'd have NEVER guessed that sort of information was stored anywhere....

Sign In or Register to comment.