re: Apple denies iCloud breach for The Fappening

quote:

---

it doesnt mean they didnt all use the same attack vector

---

The most recently patched attack vector isn't the only one though. Looking for the password requirements I ran across this article from June on a Forensic tool that was capable of retrieving and cracking iCloud backups, without a password if you had access to their PC.

quote:

---

It’s not black magic, but works as a command-line tool extracting the iCloud binary authentication token. The “user must’ve been logged in to iCloud Control Panel on that PC at the time the computer is seized. If the user logged out of the Panel, the authentication tokens are then deleted.”

The newest version of Elcomsoft Phone Password Breaker can recover “the original plain-text passwords protecting encrypted backups for Apple and BlackBerry devices.” Those backups “contain address books, call logs, SMS archives, calendars and other organizer data, camera snapshots, voice mail and email account settings, applications, Web browsing history and cache.” Apple users, even if you don’t manually create backups, backups happen automatically every time you sync your device.

iCloud Control Panel is part of iTunes and comes installed on OS X devices, but has to be installed on Windows devices. “The given feature is confirmed to work even for accounts with Apple's two-step verification enabled, but does NOT work for Microsoft Live! accounts that use 2FA.”

---

LINK

I said in another thread that Apple has taken a bare minimum strategy with the cloud, so they certainly need to be taken to task over any problems caused by that, but I've seen people connect the wrong attack vector dots based solely on time correlation. After reading the article I posted I think I'll uninstall my iCloud control panel. I never really use it and if a security tool can weaponize it then a virus could too.