Recently, Apple patched an important security hole in iCloud. A researcher by the name of Laxman Muthiyah has indeed spotted a vulnerability in the password modification system, which a hacker could hijack to take control of his victim’s account. The expert says the Cupertino company has played down the scale of the problem.
Storing your data online can be a very practical solution to save the space available on your devices, but it is of course not without risk. iCloud has experienced this several times, notably in the case of stolen celebrity photos, but also because of the multiple malware that attacks cloud services. Without counting vulnerabilities that Apple tries to hide from users.
Laxman Muthiyah, cybersecurity researcher, thus discovered a large-scale security flaw impacting the password modification functionality. To allow users to regain access to their account if they forget, the service sends a 6-digit code by SMS or email. If the hacker wishes to achieve his ends, he must therefore know the phone number or email address of his victim, then guess the 6-digit code sent from among the million and a few possibilities.
Hacker Can Bypass iCloud Security Measures
The most effective solution for the hacker would then be to use the bruteforce method. Apple has foreseen this possibility and is preventing any attempt to limiting the number of trials to 5. In addition, the number of requests from the same IP address cannot exceed 6. In total, a malicious individual would therefore need to 28,000 different IP addresses to “bruteforcer” the 6-digit code sent by iCloud. Finally, to further strengthen the security of its platform, Apple blocks all requests from a cloud service like Amazon Web Services and Google Cloud.
But in reality, as Laxman Muthiyah discovered, not all cloud services are blocked, which opens the door to attempts at bruteforce. “We must first bypass the 6-digit code from the SMS and then the 6-digit code received in the e-mail address”, explains the researcher. “Both workarounds are based on the same method and the same environment, so we don’t need to change anything when we try the second workaround.”. Laxman points out that even two-factor authentication cannot do anything about this flaw, although he recognizes that “The attack is not easy to mount.”
On the same topic: Windows 10 – iTunes and iCloud can infect you with ransomware, update them!
The researcher immediately notified Apple of the vulnerability, in July 2020. It was not until April of this year that it was corrected, without Laxman being informed. “A very small minority of accounts were at risk, and extremely few Apple device users were vulnerable,” ended up telling him the Cupertino company, adding that “This attack only works against Apple ID accounts that have never been used to sign in on a password protected iPhone, iPad or Mac”.
Apple downplayed the gravity of the situation
A justification that leaves Laxman Muthiyah unmoved. According to him, the flaw was patched in October 2020, or a few months after his alert. Apple says the password validation vulnerability never existed, but the researcher is certain an update was made after it was reported.
“If they fixed it after my report, the vulnerability became much more severe than I initially thought. By determining the password through bruteforce, we would be able to identify the correct passcode by differentiating the responses. So we can not only take control of any iCloud account, but also discover the code of the Apple device associated with it “.
Whether Apple tried to hide the severity of the vulnerability from its users or not, the fact remains that it is gone. It is therefore difficult to know whether Laxman Muthiyah’s statements are true. The latter claims that Apple gave him $ 18,000 in exchange for his report, a sum he refused, deeming it too low for the extent of the vulnerability.