New Apple ID attack tool surfaces as Apple pulls Photos web app from iCloud.com

iCloud Photos problem loading

Friday, a new attack tool was posted to GitHub that uses brute-force dictionary attacks on iCloud and Apple ID accounts with weak passwords. Using a dictionary list containing more than 500 words, the ‘iDict’ tool pretends to be a legitimate iPhone device trying to log in to iCloud.com. Somehow, it manages to avoid Apple ID lockout restrictions.

People with complex passwords shouldn’t be concerned but those with simple ones based on commonly used words such as pet names are at risk. If you fall in that category, you’re wholeheartedly recommended to change your password and optionally enable two-step verification for your Apple ID.

Seemingly unrelated to ‘iDict’, the Photos web app mysteriously disappeared from the iCloud website this morning.

Apple in the aftermath of the celebrity photo hacking incident has tightened up iCloud security. As part of the change, the system now locks an Apple ID after five unsuccessful attempts to enter the password.

It’s worrying that a hacker known as Pr0x13, the brains behind ‘iDict’, claims his tool actually bypasses Apple’s account lockout restrictions and secondary authentication on any Apple ID or iCloud account.

“This bug is painfully obvious and was only a matter of time before it was
privately used for malicious or nefarious activities, I publicly disclosed it so Apple will patch it,” release notes read.

According to Redditors and Twitter users, the tool works as advertised.

It’s astounding to me that Apple would permit these types of login attempts to this date without locking the account after several unsuccessful requests. Here’s hoping they patch the security hole sooner than later.

iCloud Photos Beta (upload functionality 001)

As 9to5Mac’s Benjamin Mayo noted, the threat is real and shouldn’t be waived off lightly because determined hackers use a much larger word list than the one posted on GitHub.

And like I said before, the Photos web app (pictured above) has disappeared from both the www.iCloud.com and beta.iCloud.com website this morning. We couldn’t determine at post time whether this removal was permanent or temporary or if any eventual connection to the release of the ‘iDict’ tool is purely coincidental.

We’ll update the post when Photos reappears on iCloud.com.

The web app is part of iCloud Photo Library, Apple’s new solution to manage and sync photos across devices. Currently in beta, iCloud Photo Library can be enabled on iOS 8 devices under Settings > iCloud > Photos.

As part of this new photo-management solution, Apple confirmed winding down Aperture and iPhoto development in favor of an upcoming Photos app for the Mac, due in early-2015.

As for ‘iDict’, the easiest way to protect your Apple ID from hacking is to enable an additional layer of security in the form of Apple’s vaunted two-step verification.

With two-step verification enabled, you’ll need the code pushed to a trusted device whenever you sign in to My Apple ID to manage your account, sign in to iCloud on a new device or at iCloud.com, make an iTunes, iBooks or App Store purchase from a new device or get Apple ID related support from Apple.

apple two-step

You should absolutely ensure to store a 14-character Recovery Key that gets generated for you after you’ve enabled two-step verification in a safe place — you’re going to need it if you want to regain control of your account should you get temporarily locked out due to brute-force attacks.

Again, losing your Recovery Key means losing access to your Apple ID for good and the company can’t help you regain access without it.

Last but not least, since ‘iDict’ needs an Apple ID email address, you could also make your account more secure by using a private email address which hasn’t been shared online.

[GitHub, iCloud]