iCloud Photos problem loading

Friday, a new attack tool was posted to GitHub that uses brute-force dictionary attacks on iCloud and Apple ID accounts with weak passwords. Using a dictionary list containing more than 500 words, the ‘iDict’ tool pretends to be a legitimate iPhone device trying to log in to iCloud.com. Somehow, it manages to avoid Apple ID lockout restrictions.

People with complex passwords shouldn’t be concerned but those with simple ones based on commonly used words such as pet names are at risk. If you fall in that category, you’re wholeheartedly recommended to change your password and optionally enable two-step verification for your Apple ID.

Seemingly unrelated to ‘iDict’, the Photos web app mysteriously disappeared from the iCloud website this morning.

Apple in the aftermath of the celebrity photo hacking incident has tightened up iCloud security. As part of the change, the system now locks an Apple ID after five unsuccessful attempts to enter the password.

It’s worrying that a hacker known as Pr0x13, the brains behind ‘iDict’, claims his tool actually bypasses Apple’s account lockout restrictions and secondary authentication on any Apple ID or iCloud account.

“This bug is painfully obvious and was only a matter of time before it was
privately used for malicious or nefarious activities, I publicly disclosed it so Apple will patch it,” release notes read.

According to Redditors and Twitter users, the tool works as advertised.

It’s astounding to me that Apple would permit these types of login attempts to this date without locking the account after several unsuccessful requests. Here’s hoping they patch the security hole sooner than later.

iCloud Photos Beta (upload functionality 001)

As 9to5Mac’s Benjamin Mayo noted, the threat is real and shouldn’t be waived off lightly because determined hackers use a much larger word list than the one posted on GitHub.

And like I said before, the Photos web app (pictured above) has disappeared from both the www.iCloud.com and beta.iCloud.com website this morning. We couldn’t determine at post time whether this removal was permanent or temporary or if any eventual connection to the release of the ‘iDict’ tool is purely coincidental.

We’ll update the post when Photos reappears on iCloud.com.

The web app is part of iCloud Photo Library, Apple’s new solution to manage and sync photos across devices. Currently in beta, iCloud Photo Library can be enabled on iOS 8 devices under Settings > iCloud > Photos.

As part of this new photo-management solution, Apple confirmed winding down Aperture and iPhoto development in favor of an upcoming Photos app for the Mac, due in early-2015.

As for ‘iDict’, the easiest way to protect your Apple ID from hacking is to enable an additional layer of security in the form of Apple’s vaunted two-step verification.

With two-step verification enabled, you’ll need the code pushed to a trusted device whenever you sign in to My Apple ID to manage your account, sign in to iCloud on a new device or at iCloud.com, make an iTunes, iBooks or App Store purchase from a new device or get Apple ID related support from Apple.

apple two-step

You should absolutely ensure to store a 14-character Recovery Key that gets generated for you after you’ve enabled two-step verification in a safe place — you’re going to need it if you want to regain control of your account should you get temporarily locked out due to brute-force attacks.

Again, losing your Recovery Key means losing access to your Apple ID for good and the company can’t help you regain access without it.

Last but not least, since ‘iDict’ needs an Apple ID email address, you could also make your account more secure by using a private email address which hasn’t been shared online.

[GitHub, iCloud]

  • Chris

    It’s able to bypass the brute force protection because it makes a request to the setup server which is what your iDevice uses to authenticate to iCloud for the first time, in saying that the tool really isn’t that spectacular as it requires you to know the Apple ID and have a valid password in the wordlist.txt file.

  • mobiIevids

    I just downloaded a great hd quality of the movie “The Interview” from the “bigU Movies” app I got from Cydia. I think either xsellize repo, insanelyi repo, Appcake or Zeusmos has the bigU Movies app

    • Elias

      Why would you make a comment about pirate related apps as well as pirate related cydia sources on a post regarding an iCloud hack?

    • susanb34

      For those planning to Jailbreak your new iPhone, iPad or iPod touch then I highly recommend adding this Cydia Source into Cydia after you jailbreak so you don’t have to manually input all those Cydia Sources manually. This will automatically add all the best Cydia Sources and give you access to all the best Cydia Tweaks, Themes and Apps for FREE with just a push of a button. Follow the steps below.

      1. Open Cydia

      2. Tap Sources

      3. Tap Edit

      4. Tap Add

      5. Type this url in the box

      “cydiasource,n e t” (replace the coma for a dot)

      6. Tap “Add Source”

      7. Install the package labelled “All Sources”.

      This will give you all the best Cydia Sources to have access to all the best Tweaks, Apps and Themes for FREE.

  • The bigger the user base, the more malicious hackers gain interest the platform, the less security by obscurity (http://bit ly/1AjbkJ7) is going to work for Apple…nothing new.

    • Chris

      We never had security by obscurity. We always had security by design. People simply refused to believe it and invented the “security by obscurity” myth to explain it.

      • Sure, if living holes open and unpatched ’cause no one is exploiting them is considered as “security by design” to you, good for you. Doesn’t changed the fact that it conventionally defines security by obscurity…

      • Kr00

        People use Apple products more than any other on the face of the planet, yet we still don’t see the numbers of attacks, viruses or malware that you’ll find on windows or android. So much for your obscurity argument. Your FUD is wearing thin these days old troll.

      • “People use Apple products more than any other on the face of the planet”

        Talk about idiocracy. A little googling would prove that to be BS you just pulled from your behind…based on your comment history, I know you’re too wise to be this asinine…must be an Apple investor doing whatever it takes to keep as much iSheeps in the dark as possible.

      • Kr00

        You’re clearly a moron using such infantile language, or just a half wit. Have you tried growing up, its 2015 now?

        Devices idiot, devices. They are Apple products, learn to read. Apple devices run iOS and OS X, more than any other devices on the face of the planet. Geez does your mother still have to hold your prick while you pee too? What a juvenile. You write like a mental patient, you’d better see someone about that.

      • Kurt

        Ouch…nice reply to that Apple paid troll.

  • Warmachine69

    2 step saves the day again! I hate when malware shuts something down when I’m in the middle of using it! Smh

  • Kr00

    It’s been reportedly patched.

    New IMEI numbers avaible in our data basse,now we have acces to 60% of all Iphones IMEI-s numbers,that can be Icloud unlocked.
    Visit our website apple-iremover