New iCloud Exploit Claims to Circumvent Failed Password Limit and 2-Factor Authentication

Hackers are ringing in the new year with another public threat to Apple’s online iCloud service. An individual using the handle “Pr0x13” announced late Thursday the release of what is purported to be a “100 percent” effective method of cracking individual iCloud account login credentials. The tool, called “iDict” and currently hosted at GitHub, claims to utilize a “painfully obvious” bug in Apple’s iCloud security infrastructure and has been released to force Apple to act on the issue.

What is this?

A 100% Working iCloud Apple ID Dictionary attack that bypasses Account Lockout restrictions and Secondary Authentication on any account.

What this isn't:

A bypass or fully automated removal

Why?

This bug is painfully obvious and was only a matter of time before it was privately used for malicious or nefarious activities, I publicly disclosed it so apple will patch it.

Apple currently employs several publicly known security methods to prevent brute force attacks on iCloud account credentials. These include multi-factor authentication and automatic account lock-outs after more than five successive failed login attempts.

The method by which iDict is able to bypass multi-factor authentication isn’t clear, but the claimed ability to prevent an iCloud account from automatically locking after five failed login attempts would indeed be effective, as it would allow malicious users of the tool to engage in an endless brute force attack on iCloud accounts lacking multi-factor authentication until the correct password is discovered.

idict-icloudA shot of the iDict iCloud exploit tool in action (via Cody Cooper)

There is currently no official verification that iDict operates as it claims, nor has Apple publicly commented on the issue (the tool’s release on New Year’s Day has obviously slowed official responses from Apple and security firms), but users are reporting varied success via social media.

Those concerned with their own iCloud account’s security should note that, at this time, iDict appears to only pose a threat to individual and specified iCloud accounts. Further, a malicious user hoping to use the tool will need the Apple ID associated with the iCloud account, which may not always be a user’s public-facing email address. Finally, iDict uses a broad, but finite dictionary from which to draw its list of passwords during the brute force attack. If a user’s iCloud account password is not in that dictionary, the attack should not be able to succeed, although the existence of the purported security flaw may lead to more sophisticated exploits in the future.