By Graeme Burton
Apple has fixed yet another security flaw in its iCloud service after a new tool called iDict was launched at the start of the year.
The tool enables users to conduct dictionary attacks against Apple iCloud users – practically all of the company’s installed base. In a page on the open-source projects website Github, the author, who calls him or herself @Pr0x13, describes the tool as a “100 per cent working iCloud Apple ID Dictionary attack that bypasses account lockout restrictions and secondary authentication on any account.”
However, the author of the tool claims that his primary purpose for producing it was to alert Apple to a glaring flaw in the security of its cloud storage service. “This bug is painfully obvious and was only a matter of time before it was privately used for malicious or nefarious activities, I publicly disclosed it so Apple will patch it.”
The author adds: “Check and make sure its [sic] legal in your country to use this tool before doing so. I’m not responsible for any damage done whatsoever to anyones iCloud account or iDevice. I didn’t exploit any accounts while writing this, as well I didn’t even test it out (hope it works, LOL). I merely observed and reported.”
While Apple had blocks in place to prevent dictionary or “brute force” attacks against iCloud accounts, the tool was able to get round these. In response to its release, Apple implemented further blocks on “brute force” or dictionary attacks within a day of the tool’s release.
“This attack targets the ‘loginDelegates functionality’, which is a sort-of ‘side-door functionality’ that can easily receive less scrutiny. The lesson for service providers is to put in place strong, consistent standards across entire development organisations and to proactively think about alternate authentications processes that might slip under the security radar,” said Patrick Thomas, security consultant at Neohapsis, which was recently acquired by networking hardware giant Cisco.
He continued: “If valid, this is an attack technique and vulnerability almost identical to the weakness in the ‘Find my iPhone’ used in the iCloud breach, which compromised celebrity photos in August.
“Remote password brute force attacks are a slow and noisy attack, but can be effective against users who chose poor passwords. Best practice is for service providers to limit the number of password guesses allowed and enforce multi-factor authentication at every possible entry point, but in complex applications developers will often ‘lock the front door’ but forget about less obvious interfaces.”
Apple has increasingly become the target of attacks as more and more people use its iCloud service to store photos, documents and other personal data – often without even realising the potential security and other implications of doing so.