‘Find My iPhone’ Flaw: Login Attempts Weren’t Rate-Limited

Owen Williams, reporting for The Next Web:

An alleged breach in Apple’s iCloud service may be to blame for countless leaks of private celebrity photos this week.

On Monday, a Python script emerged on GitHub (which we’re not linking to as there is evidence a fix by Apple is not fully rolled out) that appears to have allowed malicious users to ‘brute force’ a target account’s password on Apple’s iCloud, thanks to a vulnerability in the Find My iPhone service. Brute-force attacks consist of using a malicious script to repeatedly guess passwords in an attempt to discover the correct one.

Monday, 1 September 2014