#Michael Posted May 22, 2014 Share Posted May 22, 2014 I suppose this goes along with yesterday's report with ebay: An anonymous hacker who has exploited an iCloud security flaw that lets anyone unlock a lost or stolen iPhone says Apple contacted him about the matter today, but he deleted the email. ?They have asked me to contact [them] as quickly as possible, but why now?? the hacker, who goes by AquaXetine, said in an email to Cult of Mac. ?I?ve already warned Apple couple months ago.? Cult of Mac confirmed that the email did in fact come from Apple. The hack, which is the first of its kind, bypasses the iCloud security system for locked iOS devices called Activation Lock. By using the free DoulCi site, which appeared to be offline most of the day but is now back up, a locked iOS device can be tricked into thinking it?s talking to Apple?s iCloud servers when connected to a computer. Full article over at cult of mac: http://www.cultofmac.com/280189/icloud-hacker-calls-apples-response-little-late/ Link to comment Share on other sites More sharing options...
User6060 Posted May 22, 2014 Share Posted May 22, 2014 this guy can suck an egg. doesn't matter how long apple takes to email you back, you obviously did it to help the black market. Link to comment Share on other sites More sharing options...
#Michael Posted May 22, 2014 Author Share Posted May 22, 2014 this guy can suck an egg. doesn't matter how long apple takes to email you back, you obviously did it to help the black market. I would also say based on this person's tweets that it sounds like he/she is a teenager. Very immature language. Link to comment Share on other sites More sharing options...
Dan~ Posted May 22, 2014 Share Posted May 22, 2014 I see a lot of phones on Ebay saying iCloud activation lock? What does that mean? Basically stolen? Is there a legitimate way around them, or are they basically dead? Link to comment Share on other sites More sharing options...
Chicane-UK Veteran Posted May 22, 2014 Veteran Share Posted May 22, 2014 Does seem a bit of a mistake to think you can you go head to head with one of the worlds largest tech companies and not come out having taken a bit of a beating. Link to comment Share on other sites More sharing options...
Rippleman Posted May 22, 2014 Share Posted May 22, 2014 I see a lot of phones on Ebay saying iCloud activation lock? What does that mean? Basically stolen? Is there a legitimate way around them, or are they basically dead? this is the owners of any IOS7+ devices "kill switch". Not always stolen but could be. When an owner of an IOS7+ device logs in with their apple ID (icloud username/password) the system registers the serial number of the device on apples servers. Any time there after, any time that device needs to be activated, it needs this username and password UNLESS the user has removed "FIND MY IPHONE". So lets say someone steals your device (or you lose it). 2 scenarios: 1) Lets say you didn't have your phone locked. Well, the thief (or finder) could go in and say "RESET THIS DEVICE" which it would. BUT when its done and comes back on, when it was time to activate the device, you NEED to put in the apple ID (icloud) information or the device is a brick. 2) Lets say you did have your phone locked. Well, the thief (or finder) could plug into iTunes and do a full system restore/wipe which it would. BUT when its done and comes back on, when it was time to activate the device, you NEED to put in the apple ID (icloud) information or the device is a brick. If the user DOES NOT remove this apple ID from "FIND MY IPHONE" before selling it, or giving it away, it is a brick to the new owner. Dan~ and xrobwx71 2 Share Link to comment Share on other sites More sharing options...
Rippleman Posted May 22, 2014 Share Posted May 22, 2014 who the heck would input their username password into here???!!!! lol http://doulci.net/#crew Link to comment Share on other sites More sharing options...
jasondefaoite Posted May 22, 2014 Share Posted May 22, 2014 who the heck would input their username password into here???!!!! lol http://doulci.net/#crew Er .. no one? It's an image. No text fields. The only thing you need from the site is the server IP to add to your HOSTS file. After that fire up itunes and it should activate without knowing the user/pass for the locked phone. While all things get hacked, I think Apple's response to this was ###### to say the least. The guy emailed Apple over this 2 months ago and as usual was ignored. No reply. So now the server has gone live and is unlocking phones, Apple emails him. Too little too late. Apple need to get this fixed. Davo 1 Share Link to comment Share on other sites More sharing options...
User6060 Posted May 22, 2014 Share Posted May 22, 2014 Er .. no one? It's an image. No text fields. The only thing you need from the site is the server IP to add to your HOSTS file. After that fire up itunes and it should activate without knowing the user/pass for the locked phone. While all things get hacked, I think Apple's response to this was #### to say the least. The guy emailed Apple over this 2 months ago and as usual was ignored. No reply. So now the server has gone live and is unlocking phones, Apple emails him. Too little too late. Apple need to get this fixed. 1) a nobody emails a large corporation with a unverified claim 2) this email has to find the right people in charge of iOS security and the right person in charge of managing personnel 3) other work is on-going so how much time or resources do you allocate to an unverified claim from a random email 4) once you start looking into the issue how long do you think it would take to research potential sources of the flaw if you think you can just email google and they will be like "hey thanks for the heads we are stopping all development and focusing on the issue you brought up" thats cray -cray Link to comment Share on other sites More sharing options...
+LogicalApex MVC Posted May 22, 2014 MVC Share Posted May 22, 2014 1) a nobody emails a large corporation with a unverified claim 2) this email has to find the right people in charge of iOS security and the right person in charge of managing personnel 3) other work is on-going so how much time or resources do you allocate to an unverified claim from a random email 4) once you start looking into the issue how long do you think it would take to research potential sources of the flaw if you think you can just email google and they will be like "hey thanks for the heads we are stopping all development and focusing on the issue you brought up" thats cray -cray A large company like Apple should have a dedicated security team who verifies and prioritizes these "random" emails. I imagine that most vulnerabilities reported appear to come from random individuals. Especially with the bounties most companies offer to incentivize prompt reporting to them first. Someone at Apple dropped the ball here; at least that what it appears to be in my cursory skimming of the issue at hand. jasondefaoite 1 Share Link to comment Share on other sites More sharing options...
Rippleman Posted May 22, 2014 Share Posted May 22, 2014 Er .. no one? It's an image. No text fields. The only thing you need from the site is the server IP to add to your HOSTS file. After that fire up itunes and it should activate without knowing the user/pass for the locked phone. While all things get hacked, I think Apple's response to this was #### to say the least. The guy emailed Apple over this 2 months ago and as usual was ignored. No reply. So now the server has gone live and is unlocking phones, Apple emails him. Too little too late. Apple need to get this fixed. ohhh, shoot, didn't even notice that, i assumed for some reason they needed your ID to do it and didn't notice it was just a pic. Link to comment Share on other sites More sharing options...
Astra.Xtreme Posted May 22, 2014 Share Posted May 22, 2014 A large company like Apple should have a dedicated security team who verifies and prioritizes these "random" emails. I imagine that most vulnerabilities reported appear to come from random individuals. Especially with the bounties most companies offer to incentivize prompt reporting to them first. Someone at Apple dropped the ball here; at least that what it appears to be in my cursory skimming of the issue at hand. That actually probably is the case, but emails that are sent full of immaturity will likely get ignored. Going by the (kid's?) Twitter account, he has a pretty p*ss poor attitude. If I email any company and say "lololollolo I haxored your sh*t. You've been warned...", I don't think they would give a damn. Link to comment Share on other sites More sharing options...
User6060 Posted May 22, 2014 Share Posted May 22, 2014 i dont think most vulnerabilities come from random people. they come from security researchers from respected firms, they come from people working on shared tech like chromium project updating webkit or google security, they come from people who don't email from a gmail or hotmail account you can look at these for example most come from google people http://support.apple.com/kb/HT6150 http://support.apple.com/kb/HT6254 that submit vulnerabilities page linked above doesn't go directly to the project manager in charge of iOS or OS X security, someone has to filter and forward it and rank its importance based on lots of factors like who it comes from and what they say in the email like i said, if your a nobody who emails apple don't expect an immediate response Link to comment Share on other sites More sharing options...
Recommended Posts