Ondrej Holzman At the beginning of September, Apple solved a very unpleasant problem with the leak of sensitive photos from the iCloud accounts of famous celebrities. Was not although the service as such is broken, Apple used to be able to avoid the vulnerability in the form of the possibility to enter the password an infinite number of times. Just listen to London-based security expert Ibrahim Balic.
London-based security researcher Balic notified Apple of the potential problem long before hackers actually discovered the weakness in iCloud they took advantage of. Packer according to The Daily Dot Apple informed back in March and described the security problem precisely in its email.
In a March 26 email to Apple employees, Balic wrote:
I found a new issue related to Apple accounts. Using a brute force attack, I can try more than twenty thousand times to enter passwords on any account. I think a limitation should be applied here. I am attaching a screenshot. I found the same issue on Google and got an answer from them.
It is precisely by entering passwords endlessly, thanks to which the hackers finally found the passwords of famous personalities, apparently they broke into iCloud accounts. An Apple employee replied to Balic that he was aware of the information and thanked him for it. In addition to e-mail, Balic also reported the problem through a special page dedicated to reporting errors.
Apple finally responded in May, writing to Balic: “Based on the information you provided, it appears that it would take an inordinate amount of time to find a working authentication token for the account. Do you believe you know of a method that could provide access to the account in a reasonable amount of time?'
Apple's security engineer Brandon apparently didn't take Balic's discovery as much of a threat. "I believe they haven't completely solved the problem. They kept telling me to show them more," said Balic.
Interesting that after breaking it could be repaired once or twice.
There are just cocky people at Apple who think they are something more than others.
So, above all, the person who sets the password 12345 is stupid. I would not demonize it. Apple blocks the account after entering the wrong password a second time, which means that it is still being logged out.
It hasn't been that long since a certain bank (I think FIO) had a similar problem. The client's login name was a sequence of numbers, and after entering the password for the third time, the account was blocked and the client had to go to the bank to reset it. Well, what didn't happen? Someone just ran the numbers and blocked everyone's account.
Something similar can happen to Apple. Someone will pass a lot of respect and block them. So, how annoying is iCloud password reset?
IMO this is a feature to protect idiots, it just annoys others.
In my opinion, there are 2 reasonable solutions:
1. do not allow users to use simple passwords and leave an infinite number of attempts at entry.
2. after the xth entry of the wrong password, offer the user either authorization via mobile phone, e-mail, iCloud password reset OR wait x hours until the next attempt, and in connection with this, warn the user and Apple about several wrongly entered passwords.
It was definitely not right to let everything be, to allow users to use simple passwords and to allow an infinite number of attempts to enter them. It is clear that the people themselves are to blame, but the company must accept that people are stupid.
Security was really at a very poor level. Just as you have to protect yourself from hackers, because someone can always attack, you also have to protect yourself from stupid users, because there will always be those..
For example, the second solution would lead to the fact that if someone tried passwords and blocked accounts, their services would stop working for affected users. No sync with iCloud. Do you think this is better? For such large systems, there is practically no perfect solution, rather only the least problematic one.
Apple has its nose up and it's all about iMoney.
Here for a change I'm going to fix the bash.
If Jobs had the opportunity to come back to the world, the first thing he would do is to fire at least half of the management at Apple, there would probably be no one left in that management at all, because what that girl is doing in that company, that's it it's really a peak, and as I say, even a person like Jobs was very wrong there :-( Jobs was already fired from Apple once in his life and it turned out really bad, and when he came back, Apple worked again, but alas, they won't come back now, really the fault of the person who will stand over them and beat them on the head and cut their hands