Apple has reportedly patched a security hole exploited by a tool designed to hack accounts on Apple iCloud.
The tool, dubbed iDict, was uploaded recently to GitHub. According to the user who uploaded the tool, Pr0x13, iDict uses a “100% Working iCloud Apple ID Dictionary attack that bypasses Account Lockout restrictions and Secondary Authentication on any account.”
Pr0x13 described the bug as “painfully obvious and was only a matter of time before it was privately used for malicious or nefarious,” in a post.
Pr0x13 noted that the issue is fully patched now and urged the tool’s users to discontinue use if they don’t want to have their accounts locked.
Apple did not respond to a request for comment from SecurityWeek before publication.
“This new hacking tool to guess iCloud users’ passwords reminds us of a similar attack targeted at celebrity accounts a few months back,” said Jerome Segura, senior security researcher at Malwarebytes, in a statement. “iDict, as it is called, is made of a few php files and a large text file containing hundreds of thousands of passwords. The hacker loads the scripts on a local web server and is able to perform unlimited login attempts using the list of passwords.”
“What seems to happen here, and that’s what is called the ‘exploit,’ is failure to notice the brute force attack and therefore failure to prevent it,” he said. “Users affected by this flaw would be those who do not use two-factor authentication and whose email address is public.”
Two-factor authentication is one way of reducing this type of attack since it requires a device that the users ‘owns’ in order to proceed with the login attempt, he added.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Software Supply Chain Security Firm Lineaje Raises $7 Million
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Vulnerability Provided Access to Toyota Supplier Management Network
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- Linux Variant of Cl0p Ransomware Emerges
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
