A security researcher claims to have identified a significant issue in Apple’s password reset tool that could have been exploited to take control of any iCloud account, but Apple has downplayed the flaw’s significance.
According to researcher Laxman Muthiyah, the problem was a circumvention of Apple’s multiple security procedures designed to thwart attempts to brute force the “lost password” feature for Apple accounts.
When a user tries to reset their password, they are asked for their phone number or email address in order to acquire a 6-digit one-time passcode.
To gain access to the account, an attacker must first know the victim’s phone number or email address, then correctly guess the 6-digit code or be able to try all of the roughly 1 million possible combinations.
To avoid brute-forcing of this code, Apple set a restriction of 5 tries and a limit of 6 concurrent POST requests to the same server from the same IP address, implying that an attacker would need 28,000 IP addresses to send a million requests.
Apple has also banned cloud service providers and appears to automatically refuse POST requests from many of them, including Amazon Web Services and Google Cloud. However, according to the study, an attacker might send the queries via unblocked cloud services, allowing them to brute-force the 6-digit code and get access to the targeted iCloud account.
“Of course, the attack isn’t simple to carry out; we’ll need a good setup to exploit this vulnerability,” Muthiyah explained. “First, we must bypass the SMS 6 digit code, followed by the 6 digit code acquired via email. Because both bypasses use the same method and environment, we don’t need to do anything differently when attempting the second bypass. We can still access the account even if the user has two factor authentication enabled because the 2FA endpoint shares the rate limit and is vulnerable. The password validation endpoint also had the same vulnerability.”
Apple was notified of the issue on July 1, 2020, and a patch was released in April 2021. According to the researcher, Apple failed to contact him after the problem was resolved.
Furthermore, the tech giant assured him that only “a very small proportion of accounts were ever compromised, and incredibly few Apple device users were exposed.”
“This technique only works against Apple ID accounts that have never been used to log in on a password-protected iPhone, iPad, or Mac,” the company clarified, dismissing the researcher’s claim that all iCloud accounts are vulnerable.
According to Muthiyah, the corporation attempted to conceal the severity of the vulnerability by changing a related help website. Following his investigation on the vulnerability, he believes the change was implemented in October 2020.
The researcher even spoke with Apple’s security engineers about the problem, who told him that while passcodes are checked on the device rather being forwarded to Apple’s servers, the passcode validation endpoint had rate constraints that could not be evaded, blocking the attack. Muthiyah, on the other hand, believes the endpoint was vulnerable prior to his report and was patched in the interim.
“If they patched it after my disclosure, the vulnerability became far more serious than I had anticipated. We [would] be able to detect the right passcode by differentiating the responses by brute forcing the passcode. As a result, we can not only gain access to any iCloud account, but also learn the passcode of the Apple device that is linked to it. Even though the technique is difficult, if my theory is correct, this vulnerability might hack any iPhone / iPad with a 4 digit / 6 digit numeric passcode,” he claims.
However, the functionality is now unaffected, and the researcher’s allegations cannot be verified.
Apple offered the researcher a $18,000 bug bounty, but he declined, claiming that the firm understated the severity of the flaw and that he should have received $100,000 or even $350,0000 instead.