A group of Dutch and Moroccan hackers have reportedly bypassed Apple’s iCloud activation lock through a serious security flaw Apple has failed to patch with the most recent updates. The flaw allows stolen iPhones to be unlocked in an instant. This is the first time a hacker group has managed to compromise iCloud, reports the Dutch newspaper De Telegraaf.
The hackers are on Twitter under the pseudonyms AquaXetine and MerrukTechnolog, and they are offering unlocking services via the doulci.nl website. According to information found on their website, doulCi is the world’s first Alternative iCloud Server, and the world’s first iCloud Activation Bypass.
As of writing, the server isn’t live yet, but when it is it will support all devices except GSM iPads, the iPhone 4s, and the iPhone 5c and 5s, which are currently in beta testing. For those who are skeptical, the hackers have posted a long list of already hacked iPhones, and according to the Telegram, the list contains up to 30,000 iPhones previously reported as stolen or locked by the user.
doulCi is said the be the solution for regaining access to the iPhone, but security expert Mark Loman – whom we contacted yesterday – says he’s afraid the group can do much more, even read iMessages, as Apple has failed to patch an important security hole with the latest updates.
What doulCi does is to manipulate applications on the iPhone so the handset believes it is communicating with the genuine Apple server.
To use doulCi it’s very simple. Just Add the “MAGIC LINE” to you “hosts” file on any operating system you are using, and then you are just in one step forward to make the device bypassed. All you need to do is open the famous software developed by Apple inc. and plug your device in the USB Port on your machine and it will be done in some seconds.
The Alternative iCloud Server is the result of five months of work, and the hacker group says it didn’t do it for money, but to raise awareness about Apple’s false iCloud security claims.
They had already informed Apple in March about the critical leak, but the company left their emails unanswered.
As Mark Loman said yesterday, those who skipped the latest iOS 7 update should jump on it now and refrain from accessing public Wi-Fi spots. For Windows users, the matter is much more delicate, as Apple has not patched a serious security flaw that allows hackers to sniff iTunes account credentials as the data is sent to the Apple server.
Actually, the data IS encrypted. But when an attacker strips SSL during a so-called man-in-the-middle attack the AppleID account name and password can be extracted as they are sent in plain text inside SSL, Mark Loman said in an email sent to iPhone in Canada.
The activation server responsible for activation is called ‘albert.apple.com’. Apparently, this iCloud server or iTunes does not check if the activation data is manipulated/altered by the ‘upstream server’ created by the doulCi hackers.
Stay tuned – refresh for updates.