All iCloud accounts could be vulnerable to hacking by a new tool that claims it can break into any user’s login.
The tool claims to use an exploit to get through Apple’s security.
It uses a “dictionary attack” to get into accounts — a hack that involves automatically trying a number of passwords until the right one is found. Sites usually have locks in place to stop such an attack, by only allowing a certain number of tries of one password, but the tool claims to be able to bypass those.
A number of posters on Twitter and Reddit claimed to have used the tool successfully.
If it does work, setting up two-step verification — which requires users to enter a code sent to their phone — could keep such an attack at bay. But otherwise, if the exploit is genuine, there is little users can do until Apple fix it.
The creator of the tool said that they had released the “so Apple will patch it”. But other security activists criticised the leak, and said that the user, who calls themselves pr0x13, should have informed Apple of the problem.
“If you have any interest in preventing harm, Dropping a zero day on a national holiday without any attempt at responsible disclosure is probably not the best approach,” said one user on Reddit. “Zero day” refers to exploits in software that are not known by their creators, and so no solution is in place.
Unlike other tech companies, Apple does not have a ‘bug bounty’ programme — a reward system that gives hackers cash for bringing exploits to their attention.
A Twitter account claiming to belong to the person that found the bug posted contradictory statements about how the tool can be used. It told followers to “Only use iDict on your own email”, but also repeatedly publicised the hack and the fact that the tool worked to bypass locked accounts.
iCloud vulnerabilities were also thought to be used to steal hundreds of leaked pictures of celebrities in what was called ‘The Fappening’, in August and September.