You've likely read about iDict, a very publicly released cracking tool designed to compromise iCloud accounts using brute-force techniques — techniques that try a series of passwords in quick succession in the hope of finding the correct one. According to reports, the vulnerability was patched by Apple within a few days. (Apple has declined to comment, however.)
The developer released the code without providing details in advance to Apple, which is unusual. The standard practice is to disclose this information privately in order to give a company time to patch the vulnerability.
iDict relied on what the author claimed was a "painfully obvious" problem with how Apple dealt with repeated password failures through a particular URL. This kind of issue is similar to reports that came out after last summer's iCloud "hack," which involved a combination of unthrottled password attempts against iCloud and attempts to answer security questions based on celebrities' biographies and other sources.
The iDict developer claimed it bypassed "secondary authentication," which doesn't appear to be a two-step verification hack, but rather a method that allowed the attacker to avoid answering security questions. The tool should now be ineffective as the developer's code-repository page says that Apple has enabled "rate limiting" — a process that tracks the number of queries from a given source or for a given account, and clamps down when a limit is hit.
The anatomy of an attack
But how exactly did it work? Let's examine this attack, your risk of exposure, and what Apple should be doing (but may not be).
iDict and similar remote attacks without special knowledge rely on three elements: a way to perform excessive tests of passwords for an individual account; a way to bypass triggering an account lockout, throttling to reduce queries, or alerts to let the account's owner (or Apple) know that an account is being attacked; and a weak password (and sometimes also weak security questions).
By having a strong password associated with an account — and preferably one that's unique to that account — you bypass nearly all of the risk of having an account hacked through brute force methods, whether through a URL exploit like the one iDict found, or when password files or databases are stolen and cracked over time.
Despite the incompetence at Sony, which allowed IT and other personnnel to store unencrypted passwords in files named "Password," most sites encrypt passwords through a one-way hashing algorithm that transforms the plain text into something that's impractical to decipher. There are weaknesses in an older algorithm — which is still in use out of laziness and lack of updates — that could allow a government agency or criminal enterprise trying to crack individual account passwords to succeed. More sensible sites employ stronger methods.
Sign up for Computerworld eNewsletters.