Password Reset iCloud Account Vulnerability
Laxman Muthiyah (Hacker News):
Therefore, the attacker would require 28K IP addresses to send up to 1 million requests to successfully verify the 6 digit code.
28k IP addresses looks easy if you use cloud service providers[…] And it worked!!! 🎉🎉🎉 Now I can change the password of any Apple ID with just their trusted phone number 😇
[…]
As you can see in the email screenshot, [Apple’s] analysis revealed that it only works against iCloud accounts that has not been used in passcode / password protected Apple devices.
I argued that even if the device passcode (4 digit or 6 digit) is asked instead of 6 digit code sent to email, it will still share the same rate limits and would be vulnerable to race condition based brute forcing attacks. We will also be able to discover the passcode of the associated Apple device.
[…]
They concluded that the only way to brute force the passcode is through brute forcing the Apple device which is not possible due to the local system rate limits.
He doesn’t seem to believe that, but I lean towards believing Apple there.
Apple offered him a bug bounty of $18K, which I do agree seems low given the vulnerability that he did demonstrate:
They need not reward the upper cap of the iCloud account takeover ($100k) but it should at least be close to it considering the impact it has created.
After all my hard work and almost a year of waiting, I didn’t get what I deserved because of Apple’s unfair judgement.
Apple seems to be developing a reputation for being slow and stingy in responding to security bounties, which I don’t think is a good sign for the security of its platforms. Do they want to incentivize hackers to do the right thing or not?
Previously:
- Sandbox Doesn’t Protect Files From stat()
- Safari Privacy Protections Bypass
- Apple vs. Security Researchers
- Mac Sandbox Escape via TextEdit
- Mac Bug Bounty Program Opens
- File System Events Privacy Protections Bypass
- Apple Security
Update (2021-07-30): See also: Catalin Cimpanu.