New iCloud Exploit Claims to Circumvent Failed Password Limit and 2-Factor Authentication

What is this?

A 100% Working iCloud Apple ID Dictionary attack that bypasses Account Lockout restrictions and Secondary Authentication on any account.

What this isn't:

A bypass or fully automated removal

Why?

This bug is painfully obvious and was only a matter of time before it was privately used for malicious or nefarious activities, I publicly disclosed it so apple will patch it.

Apple currently employs several publicly known security methods to prevent brute force attacks on iCloud account credentials. These include multi-factor authentication and automatic account lock-outs after more than five successive failed login attempts.

The method by which iDict is able to bypass multi-factor authentication isn’t clear, but the claimed ability to prevent an iCloud account from automatically locking after five failed login attempts would indeed be effective, as it would allow malicious users of the tool to engage in an endless brute force attack on iCloud accounts lacking multi-factor authentication until the correct password is discovered.

idict-icloudA shot of the iDict iCloud exploit tool in action (via Cody Cooper)

There is currently no official verification that iDict operates as it claims, nor has Apple publicly commented on the issue (the tool’s release on New Year’s Day has obviously slowed official responses from Apple and security firms), but users are reporting varied success via social media.

Those concerned with their own iCloud account’s security should note that, at this time, iDict appears to only pose a threat to individual and specified iCloud accounts. Further, a malicious user hoping to use the tool will need the Apple ID associated with the iCloud account, which may not always be a user’s public-facing email address. Finally, iDict uses a broad, but finite dictionary from which to draw its list of passwords during the brute force attack. If a user’s iCloud account password is not in that dictionary, the attack should not be able to succeed, although the existence of the purported security flaw may lead to more sophisticated exploits in the future.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

WIN an iPhone 16 Pro Max!