Researcher Claims Apple Downplayed Severity of iCloud Account Takeover Vulnerability

A security researcher claims he discovered a critical vulnerability in Apple’s password reset feature that could have been used to take over any iCloud account, but Apple has downplayed the impact of the flaw.

The issue, researcher Laxman Muthiyah says, was a bypass of the various security measures Apple has in place to prevent attempts to brute force the ‘forgot password’ functionality for Apple accounts.

When attempting to reset a password, the user is prompted to provide their phone number or email address to receive a 6-digit one-time passcode.

Thus, an attacker looking to take over the account, first needs to know the victim’s phone number or email address, and then to correctly guess the 6-digit code or be able to try all of the roughly 1 million possibilities.

To prevent brute-forcing of this code, Apple limited the number of attempts one can make to 5, and also limited the number of concurrent POST requests to the same server from the same IP address to 6, which means that an attacker would need 28,000 IP addresses to send a million requests.

As an additional security measure, Apple also blacklisted cloud service providers and appears to automatically reject POST requests coming from many of them, including AWS and Google Cloud. However, the researcher discovered that an attacker could send the requests using cloud services that are not blocked, enabling them to brute-force the 6-digit code and gain access to the targeted iCloud account.

“Of course the attack isn’t easy to do, we need to have a proper setup to successfully exploit this vulnerability,” Muthiyah explained. “First we need to bypass the SMS 6 digit code then 6 digit code received in the email address. Both bypasses are based on same method and environment ..

Support the originator by clicking the read the rest link below.