Hackers have a great start of new year 2015, giving a public threat to Apple’s online iCloud service. A hacker using the handle "Pr0x13" has released a password-hacking tool to GitHub website that assures attackers to break into any iCloud account, potentially giving them free access to victims’ iOS devices.
The tool, dubbed iDict, actually makes use of an exploit in Apple's iCloud security infrastructure to bypass restrictions and two-factor authentication security that prevents brute force attacks and keeps most hackers away from gaining access to users’ iCloud accounts.
Yes, the brute force security flaw in Apple’s iCloud file storage service that was responsible for celebrity nude photos leak, including Kim Kardashian, Vanessa Hudgens, Jennifer Lawrence, Rihanna, Kristin Dunst and Kate Upton, late last year.
Pr0x13 claims iDict to be a "100 percent" effective and simple to use method of cracking individual iCloud account login credentials. So, those using easy-to-guess passwords on their iCloud account are in more danger than those using a complex chain.
Despite countless warnings and advices in the past, online users are continuously using a weak strength of password chains such as "password," "12345678," "qwerty," "abc123," and "iloveyou", expecting that they couldn’t be a target of hack. But, now they need to worry about it.
iDict, currently hosted at GitHub, is limited by the size of the dictionary the tool uses to guess the password. At the time, the dictionary file only contains 500-word-long list of passwords. This means whilst it will succeed "100%" at trying 500 times over, the tool is by no means guaranteed to succeed at cracking your password. So if you are the one from the given 500-word-long list, your iCloud account is really at risk.
There is quite a low chance that this attack will actually work, but the attack would become an issue if someone with large set of resources gets access to the source code. A hacker with a much larger list of passwords might be able to compromise more accounts, however, we hope that Apple will patch this issue before this happens.
So far, we haven’t heard about any fallout from the release of the exploit, but users on Twitter and online discussion forum Reddit are saying that iDict is working as intended.
Pr0x13 says his intentions were only to alert Apple about the vulnerability, so that the company could fix the problem as soon as possible. The tool , according to the hacker, has been released to force Apple to act on the issue and nothing else. The company needs to fix the "painfully obvious" vulnerability before it's "privately used for malicious or nefarious activities," Pr0x13 explains on GitHub.
Apple needs to act fast on the issue to avoid another controversy like the celebrities' nude photo scandal of 2014, in which the brute force attack gave hackers access to countless personal and nude photographs of a number of high-profile celebs.
But, you just can’t rely fully on the company regarding your online security. As a precaution, first make sure that your password does not appear in Pr0x13’s password file and if it is change it immediately. Also change your password if you use a weak password! Moreover, enable two-factor authentication on all your accounts, if you haven't already.