A hacker has released a tool that he says can break into any iCloud account.
The tool, iDict, uses an exploit in Apple’s security to bypass restrictions that stop most hackers from gaining access to accounts.
On iDict’s GitHub page, user “Pr0x13” says the exploit used to create the hacking tool is “painfully obvious” and that it “was only a matter of time” before hackers used it to break into iCloud accounts.
The tool is described as a “100% working iCloud Apple ID dictionary attack that bypasses account lockout restrictions and secondary authentication on any account.”
There’s no confirmation that iDict is indeed a working exploit, but users on Twitter and Reddit are claiming to have tested the tool and found it to work as described.
Here’s what the iDict tool looks like when in use:
Apple has multiple ways to stop hackers from breaking into its online iCloud service. First off, it stops people from guessing passwords over and over again by blocking “brute force” attacks. Apple also lets people verify login attempts using their mobile phone through two-factor authentication. But iDict purportedly bypasses those security steps.
If iDict does work as described, there’s very little people can do to keep their account secure. The tool does require its users to know the email address associated with an iCloud account before it tries to hack into it. One way to make an iCloud account more secure is to use an email address that hasn’t been shared online.
Meanwhile, questions are being raised why as to the hacking tool was released online at all. When security researchers uncover exploits in software or websites, they often privately report them to companies to avoid widespread use of security holes by hackers.
ICloud was the online service that hackers broke into last year to leak naked photographs of hundreds of celebrities online. Stars like Jennifer Lawrence and Kate Upton had their accounts broken into when hackers managed to bypass Apple’s security-question system. The company later rolled out improved security aimed at stopping hackers from accessing accounts.
We reached out to Apple for comment on this story and will update if we hear back.