CommunityNews

CommunityNews

How I Found a Vulnerability to Hack iCloud Accounts and How Apple Reacted to It

This article is about how I found a vulnerability on Apple forgot password endpoint that allowed me to takeover an iCloud account. The vulnerability is completely patched by Apple security team and it no longer works. Apple Security Team rewarded me $18,000 USD as a part of their bounty program but I refused to receive it. Please read the article to know why I refused the bounty.

After my Instagram account takeover vulnerability, I realized that many other services are vulnerable to race hazard based brute forcing. So I kept reporting the same with the affected service providers like Microsoft, Apple and a few others.

Many people mistook this vulnerability as typical brute force attack but it isn’t. Here we are sending multiple concurrent requests to the server to exploit the race condition vulnerability present in the rate limits making it possible to bypass it.

Now lets see what I found in Apple.

Read in full here:

This thread was posted by one of our members via one of our news source trackers.

Most Liked

OvermindDL1

OvermindDL1

Very unethical of Apple…

Where Next?

Popular Macos topics Top

AstonJ
This is a good guide about what to look for when getting a retina/non-retina monitor for your Mac. In short, around 110PPI is a good fit...
New
First poster: bot
mikelxc/Workarounds-for-ARM-mac. This repository describes how I get most of my configurations work on the new Apple Silicon Mac - mikel...
New
First poster: bot
Really, really add /usr/local/bin to the PATH variable on macOS. In newer macOS custom executables belong in a directory which is not in...
New
First poster: bot
A previously undetected piece of malware found on almost 30,000 Macs worldwide is generating intrigue in security circles, which are stil...
New
CommunityNews
We’re all familiar with the Mac’s startup chime. While it has changed over the years, it has greeted users with its friendly tone for dec...
New
CommunityNews
This article is about how I found a vulnerability on Apple forgot password endpoint that allowed me to takeover an iCloud account. The vu...
New
First poster: bot
Learn how to use the brand new actor model to protect your application from unwanted data-races and memory issues.
New
First poster: bot
First Look: macOS Monterey Public Beta. If there’s a theme of Apple’s operating-system releases in 2021, it’s platform unification. This...
New
First poster: bot
Executive Summary TCC is meant to protect user data from unauthorized access, but weaknesses in its design mean that protections are eas...
New
First poster: bot
My journey from macOS to FreeBSD. Personal experience with moving away from Apple’s world.
New

Other popular topics Top

siddhant3030
I’m thinking of buying a monitor that I can rotate to use as a vertical monitor? Also, I want to know if someone is using it for program...
New
New
PragmaticBookshelf
Rust is an exciting new programming language combining the power of C with memory safety, fearless concurrency, and productivity boosters...
New
AstonJ
Thanks to @foxtrottwist’s and @Tomas’s posts in this thread: Poll: Which code editor do you use? I bought Onivim! :nerd_face: https://on...
New
AstonJ
Just done a fresh install of macOS Big Sur and on installing Erlang I am getting: asdf install erlang 23.1.2 Configure failed. checking ...
New
AstonJ
If you are experiencing Rails console using 100% CPU on your dev machine, then updating your development and test gems might fix the issu...
New
gagan7995
API 4 Path: /user/following/ Method: GET Description: Returns the list of all names of people whom the user follows Response [ { ...
New
husaindevelop
Inside our android webview app, we are trying to paste the copied content from another app eg (notes) using navigator.clipboard.readtext ...
New
New
PragmaticBookshelf
Fight complexity and reclaim the original spirit of agility by learning to simplify how you develop software. The result: a more humane a...
New