CommunityNews

CommunityNews

How I Found a Vulnerability to Hack iCloud Accounts and How Apple Reacted to It

This article is about how I found a vulnerability on Apple forgot password endpoint that allowed me to takeover an iCloud account. The vulnerability is completely patched by Apple security team and it no longer works. Apple Security Team rewarded me $18,000 USD as a part of their bounty program but I refused to receive it. Please read the article to know why I refused the bounty.

After my Instagram account takeover vulnerability, I realized that many other services are vulnerable to race hazard based brute forcing. So I kept reporting the same with the affected service providers like Microsoft, Apple and a few others.

Many people mistook this vulnerability as typical brute force attack but it isn’t. Here we are sending multiple concurrent requests to the server to exploit the race condition vulnerability present in the rate limits making it possible to bypass it.

Now lets see what I found in Apple.

Read in full here:

This thread was posted by one of our members via one of our news source trackers.

Most Liked

OvermindDL1

OvermindDL1

Very unethical of Apple…

Where Next?

Popular Macos topics Top

AstonJ
Just watching now, seems well researched - very interesting actually… He’s a Windows user btw :upside_down_face:
#m1
New
New
First poster: bot
After months of silence about Apple’s impressive M1 chip, Intel just clapped back with a carefully crafted takedown of the Arm-based chip...
New
First poster: bot
What is ownership? Ownership is the responsibility of some piece of code to eventually cause a value to be destroyed. An ownership system...
New
First poster: bot
The Swift concurrency model intends to provide a safe programming model that statically detects data races and other common concurrency b...
New
First poster: bot
Goals Performance equivalent to C arrays for subscript get/set of non-class element types is the most important performance goal. It sho...
New
First poster: bot
Apple Now Selling More M1 Macs Than Intel-Based Models, Says Tim Cook. Despite only being released in November, sales of the M1-powered ...
New
First poster: bot
Swift 5.5 is here with Xcode 13 Beta and with it comes my favorite new addition to Swift: Async/Await. Async/await is a high level, stru...
New
First poster: bot
Made a small video today showing the creation of a macOS Droplet using AppleScript. I made it just for fun, and because I realised that m...
New
First poster: bot
I didn’t think this was possible: This App Store app [My Metronome - Tempo Keeper] immediately asks you for money and then disables the ...
New

Other popular topics Top

wolf4earth
@AstonJ prompted me to open this topic after I mentioned in the lockdown thread how I started to do a lot more for my fitness. https://f...
New
AstonJ
You might be thinking we should just ask who’s not using VSCode :joy: however there are some new additions in the space that might give V...
New
dimitarvp
Small essay with thoughts on macOS vs. Linux: I know @Exadra37 is just waiting around the corner to scream at me “I TOLD YOU SO!!!” but I...
New
Exadra37
I am asking for any distro that only has the bare-bones to be able to get a shell in the server and then just install the packages as we ...
New
PragmaticBookshelf
Build highly interactive applications without ever leaving Elixir, the way the experts do. Let LiveView take care of performance, scalabi...
New
PragmaticBookshelf
Build efficient applications that exploit the unique benefits of a pure functional language, learning from an engineer who uses Haskell t...
New
PragmaticBookshelf
Author Spotlight Jamis Buck @jamis This month, we have the pleasure of spotlighting author Jamis Buck, who has written Mazes for Prog...
New
PragmaticBookshelf
Author Spotlight: Karl Stolley @karlstolley Logic! Rhetoric! Prag! Wow, what a combination. In this spotlight, we sit down with Karl ...
New
DevotionGeo
I have always used antique keyboards like Cherry MX 1800 or Cherry MX 8100 and almost always have modified the switches in some way, like...
New
PragmaticBookshelf
Author Spotlight: Peter Ullrich @PJUllrich Data is at the core of every business, but it is useless if nobody can access and analyze ...
New