iCloud signin page

As of today, brute-forcing your way into your ex’s Apple ID or iCloud account by way of dictionary-based attacks is no longer a viable option.

As reported by James Cook of Business Insider, Apple’s reportedly patched a vulnerability in its iCloud service that determined hackers were able to exploit in order to hack into your Apple ID account.

Even though Apple IDs that employ weak passwords and don’t use Apple’s vaunted two-step verification feature were at greatest risk, we’re most certainly glad that Apple’s moved so swiftly to increase online security of its users.

The information came via none other than Pr0x13, a guy who created a hacking tool called “iDict” which was released on New Year’s Day.

Long story short, it managed to bypass Apple’s account lockout restrictions and secondary authentication on any Apple ID or iCloud account.

You may recall that Apple recently tightened up iCloud security by locking an Apple ID after five unsuccessful attempts to enter the password. That being said, ‘iDict’ tool in its brief history used to rely on a different method to fool Apple’s servers into believing a real person was trying to log in to iCloud.

Put simply, iDict pretended to be a legitimate iPhone device trying to log in to iCloud.com. The online service used brute-force attacks on accounts with weak passwords by tapping a dictionary list containing more than 500 commonly used words, although there was nothing preventing determined hackers from using a much larger word list than the one posted on GitHub.

That doesn’t mean we should all breathe a collective sigh of relief because hackers are always searching for exploits and Apple’s online services have yet to be fully consolidated to discourage, if not prevent, these types of brute-force attacks.

Another thing to factor in: ill-minded folks who may use tools like iDict could cause your iCloud account to be locked for security reasons, to prevent hackers from gaining access in the first place.

Same caveats apply here: your password should not contain common terms such as pet names and other easily identifiable words that can be harvested by means of social engineering.

Moreover, you should enable two-step verification for your Apple ID and preferable use a throwaway email address as your Apple ID user name or a private email address which hasn’t been shared online.

And if you do protect your Apple ID with two-step verification, please store your Recovery Key in a safe place because misplacing it means losing access to your Apple ID for good in case it gets locked due to brute-force attempts on your password.

[Business Insider]

  • I don’t use dictionary words in my iCloud password (and neither should you

    • Chris

      Sadly the majority of the worlds population that use the internet do because they lack the basic understanding of online security.