A security researcher recently announced that he could discover a crucial vulnerability in one of Apple's features -- the password reset function. The researcher claimed that it could be utilized to take over any existing iCloud account.
He also said that Apple has been downplaying the issue and its impact.
Apple Security Issue
Apple continued to face new issues, but the company somehow managed to get through each problem quickly.
Security Week reported that according to Laxman Muthiyah, the issue was a bypass of the numerous security measures that Apple prepared to avoid attempts to force the "forgot password" feature for Apple accounts.
In resetting a password, the user is required to provide their email address or phone number to get a 6-digit OTP (one-time passcode).
The attacker looking to hack into the user's account will use the given information to get their hands on the OTP. The 6-digit code will then allow them to log into the victim's account without exemplifying any malicious activities.
What Did Apple Do?
To resolve the issue, Apple eagerly provided a solution that prevents brute-forcing of the 6-digit code.
Apple decided to limit the number of attempts that users can make to five. The company also constricted the number of available concurrent POST requests to the server within the same IP address to only six. As a result, the attacker would need a total of 28,000 IP addresses to send over one million requests.
Apple even went the extra mile to provide an additional security measure.
The Cupertino-based company blocked all cloud service providers, and it seemed like Apple rejected POST requests from most providers.
AWS and Google Cloud are only some of the well-known providers that have already been blocked.
As a way to reward Muthiyah, the giant tech compaby initially offered to reward him with $18,000. However, he refused the reward, and said that the tech giant downplayed the flaw's impact.
Muthiyah also mentioned that he should have been offered $100,000 or $350,000.\
Another Way to Attack?
Despite Apple's attempt to provide enough security measures, Muthiyah discovered that an attacker could still send requests using unblocked cloud services. By doing this, the attacker can still brute-force the 6-digit OTP to hack into the iCloud account without the owner's permission.
According to Muthiyah, the attack is not easy to execute because a proper setup is needed to exploit the vulnerability.
The attacker initially has to bypass the 6-digit one-time passcode received by the user through his or her email address or phone number. The bypasses are primarily based on the same environment and method, so there is no need to change anything when trying the second bypass.
Even when the victim has enabled the two-factor authentication function, the attacker can still access their account, thanks to the 2FA endpoint that shares the rate limit.
Muthiyah added that vulnerability was also in the password validation endpoint.
This article is owned by Tech Times
Written by Fran Sanders