Last Friday, a new tool was submitted to GitHub that could be used to hack certain iCloud accounts with simple and weak passwords. Known as iDict, it fools Apple into thinking it’s an iPhone and uses a brute-force attack to determine a weak Apple ID password from a 500 word list.
A bug in iCloud.com let users try an incorrect password for unlimited number of times from their iPhone without being locked out. Using this vulnerability, iDict comes up with 500 word combinations to hack iCloud accounts with a weak password such as a simple word. What’s worrying is that the code for the tool is available for any hacker to use and with enough commitment and a larger word list, even complex passwords can be hacked. What’s even more alarming is that people have confirmed that the tool works and can hack iCloud accounts.
Users with complex passwords don’t have to be afraid of the iDict tool, as it cannot break through. However, if you’re using a simple password such as a name, it’s better you change it right away and use Apple’s two-step verification process.
According to Pr0x13, the brains behind iDict, he wanted Apple to patch this obvious bug and thus showed how easy it is to hack an iCloud account.
This bug is painfully obvious and was only a matter of time before it was privately used for malicious or nefarious activities, I publicly disclosed it so apple will patch it.
Turns out, Apple did hear him out and has now patched this obvious vulnerability. If you try out this tool now, you’ll be locked out of the iCloud account. Still, it shows how sometimes even the leaders in mobile software can neglect something so simple.
Now what have you learnt from this? Well, always use a strong password that has both letters and numbers in it and maybe opt for the two-step verification method.