The tool can be found on GitHub and the hacker claims that the tool will work 100 percent of the time and it “bypasses account lockout restrictions and secondary authentication on any account.”
Let us now examine how the attack works and why it is not as harmful (in and of itself) as claimed. The hacker has set up a dictionary attack (a type of brute-force attack) which tries numerous guesses (in this case passwords) in an attempt to access someone’s iCloud account.
The program created by Pr0x13 is a very limited version of a brute-force attack because the dictionary file only contains 500 passwords. Given that there are such few passwords in the file, there is a very low chance that this attack will actually work.
In a larger scale dictionary attack, the hacker would generally have access to terabytes of information (passwords in this case). The larger your dictionary file, the greater the chance that you will be successful in compromising the targeted account.
The attack does become an issue when someone who has access to a large set of resources gets access to the source code. An attacker with a much larger list of passwords might be able to compromise more accounts, however, we hope that Apple will patch this issue in the near future.
A good password management system will normally impose a timeout or lockout feature that only gives the user a certain number of attempts at entering their password. The attacker also claims that the code will bypass any lockout restrictions and secondary authentication on any account. Although this seems like an unlikely statement, it is still possible. However there is no evidence to backup his claim that the tool bypasses Apple’s brute-force protections.
Even if the tool bypasses secondary authentication and avoids the lockout mechanism, the list of passwords is too small to have any major impact on Apple’s iCloud services. A brute-force attack is limited to the information at hand, so creating a secure (not easily guessable) password will help keep you safe from most of these types of attacks. Apple has not yet released any official comment regarding the matter.
Even though the above attack on iCloud is weak at best, it is a good reminder that a strong password will help keep you safe from these simple attacks. As a precaution, please make sure your password does not appear in Pr0x13’s password file and if it is change it immediately.
[via Business Insider]