iCloud accounts at risk after hacker releases tool allowing access to any login
Other hackers criticise publishing of tool, rather than informing Apple of exploit
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.All iCloud accounts could be vulnerable to hacking by a new tool that claims it can break into any user’s login.
The tool claims to use an exploit to get through Apple’s security.
It uses a “dictionary attack” to get into accounts — a hack that involves automatically trying a number of passwords until the right one is found. Sites usually have locks in place to stop such an attack, by only allowing a certain number of tries of one password, but the tool claims to be able to bypass those.
A number of posters on Twitter and Reddit claimed to have used the tool successfully.
If it does work, setting up two-step verification — which requires users to enter a code sent to their phone — could keep such an attack at bay. But otherwise, if the exploit is genuine, there is little users can do until Apple fix it.
The creator of the tool said that they had released the “so Apple will patch it”. But other security activists criticised the leak, and said that the user, who calls themselves pr0x13, should have informed Apple of the problem.
“If you have any interest in preventing harm, Dropping a zero day on a national holiday without any attempt at responsible disclosure is probably not the best approach,” said one user on Reddit. “Zero day” refers to exploits in software that are not known by their creators, and so no solution is in place.
Unlike other tech companies, Apple does not have a ‘bug bounty’ programme — a reward system that gives hackers cash for bringing exploits to their attention.
A Twitter account claiming to belong to the person that found the bug posted contradictory statements about how the tool can be used. It told followers to “Only use iDict on your own email”, but also repeatedly publicised the hack and the fact that the tool worked to bypass locked accounts.
iCloud vulnerabilities were also thought to be used to steal hundreds of leaked pictures of celebrities in what was called ‘The Fappening’, in August and September.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments