A unknown hacker just uploaded a password-hacking tool called iDict to GitHub that promises to use good old fashioned brute force techniques to crack iCloud passwords,giving a public threat to Apple’s online iCloud service. The tool also claims to be able to evade Apple’s rate-limiting and two-factor authentication security that’s supposed to prevent brute force attacks.
iDict’s capabilities are limited by the size of the dictionary it uses to guess your password. So you’re really only in danger if your password is on the 500-word-long list included with the hacker tool. All of the passwords fulfill the requirements for an iCloud password, but if you’re using one of these rather obvious passwords, you should change your password anyways. Here are some examples:
There is quite a low chance that this attack will actually work, but the attack would become an issue if someone with large set of resources gets access to the source code. A hacker with a much larger list of passwords might be able to compromise more accounts, however, we hope that Apple will patch this issue before this happens.
Pr0x13(the handle used by the unknown hacker) says his intentions were only to alert Apple about the vulnerability, so that the company could fix the problem as soon as possible. The tool , according to the hacker, has been released to force Apple to act on the issue and nothing else. The company needs to fix the “painfully obvious” vulnerability before it’s “privately used for malicious or nefarious activities,” Pr0x13 explains on GitHub.
It seems like it wouldn’t be that hard to swap out the 500-word-long list with an even longer, better list. Then, a tool like iDict could do real damage. Not to mention that ne’er-do-wells are probably gonna be using this tool as-is until the flaw gets fixed. So double-check your iCloud password against this list now and have a better password.Stay tunes for updates.