These two Aussies say they couldn’t crack iCloud, but this woman says is was terribly easy.
“All you need is someone’s iCloud password and then, two-factor authentication or not, you can download the content of their iCloud backups in minutes.”
How I Hacked My Own iCloud Account, for Just $200
http://mashable.com/2014/09/04/i-hacked-my-own-icloud-account/
This is all about fanbois running interference for the most secure OS in the world that needed extra effort to actually secure but they couldn’t say that ‘cause it would give the impression that Apple screwed up.
And now it’s coming out that two-part verification wouldn’t have secured these accounts anyway.
“While Apple has offered two-factor authentication on accounts for some time now, there is an omission in that system that hackers are taking advantage of. iCloud backups are not protected by two-factor authentication, and can be installed on new devices with only an Apple ID and password.”
Apple’s Two Factor Authentication Doesn’t Protect iCloud Backups Or Photo Streams
http://techcrunch.com/2014/09/02/apples-two-factor-authentication-doesnt-protect-icloud-backups-or-photo-streams/
If you HAVE anyone's password then of course you've got access.
Let's look at what your linked article claims. . .
In fact, I was able to use an iBrute-like tool to crack my own password (which, to be clear, was chosen to be extremely easy to crack. Like, it was Passw0rd1. Apple wouldn't let me use Passw0rd, but Passw0rd1 was just fine.).
That Passw0rd1 is on the list of the twenty most commonly used passwords. IBrute uses the 500 most commonly used passwords to attempt its breakins. She knew this, so she used one. Whoop-do-doo. Apple warns users who attempt to use passwords such as hers that it is too weak. They have a tool right when you input your proposed password testing its strength. Anyone can SEE immediately how robust their password is.
Had either she or her sister used two-factor authentication, none of this could have worked. I use it. Her sister would have gotten a text on a trusted device with a PIN number that had to be input before going further. NO SECURITY QUESTIONS TO GUESS. A text to her sister telling her someone was trying to access her account, and if it was her, she could continue by entering the PIN. Three chances to get it right, or it's locked. That's it.
It is also noted that the EPPB software she then used also works for multiple platforms, not just Apple.
The application, which costs between $79.99 and $400 depending on the version, can also be used to retrieve backups from Windows Live (now OneDrive) and to unlock access to BlackBerry, BlackBerry 10 and iOS backups.
And again requires the user name and an easily cracked password password. She used her sister's account to break into by changing her password. . . as if she doesn't know the secret details that might be in the security question of her sister, right, sure. That was easy. Try that with a complete stranger. Not so easy, is it?
Then she claims she could sneaker net a USB stick and steal the "iCloud access Token" from all of her colleagues computers and easily break into their personal iCloud accounts with the $400 EPPB Pro version. But, there is a caveat she mentions only in passing as though it's just a minor trivial issue. The target of her nefarious theft—I'm certain she would want to steal this data surreptitiously—must be logged onto his or her iCloud account on their computer with their user name and password for her to steal the Token! Most people are not logged in except rarely. I have logged into my iCloud account on my Mac exactly twice in two years. . . both times to check for a lost email. Other than that, nope. Everything else, I handle on my iPad or iPhone. She's not going to get my Token off my encrypted Macs. . . and not off most anyone else's for the same reason. The odds they will be logged onto iCloud are slim and none. If she's going to rely on a remote malware invasion to get it from a Mac which would lie and wait for some future iCloud connection . . . that's even harder. So BZZZZT! Not happening as easily as she implies.
Guess what, I just tried logging on from my Mac. . . it required Two-factor authentication. . . and I have the token. So that's out too. Oh, well. EPPB is out of options.
Of course, that’s still a very big ‘only’. Your email and password are as much protection as almost any service on earth offers you by default — and once a hacker obtains those you’re probably in trouble in any case. The early evidence, and Apple’s statement on the matter, indicates that hackers obtained passwords through guessing security questions, social engineering, phishing or other ‘targeted’ attacks — rather than a leak of the password data itself by Apple. Notably, access to iPhone backups can also be accessed using an authentication token (a file created by iTunes) which can be obtained using malware or phishing — and which does not require a password at all.
There is absolutely no way that anyone could get that token by phishing, because the target of the phishing expedition does not know it! If the target doesn't know the information, and it's not in user files, he cannot give it to a phisher. So that is just pure nonsense!
Getting malware onto a Mac has been a singularly difficult thing to do. The operating system blocks Trojans. . . and if they could get a Trojan on, they'd have access to the photos on the computer directly. Why go through circumlocution to get the backup? We are STILL looking for members of that mythical 600,000 member Macbot that no one has yet seen. And there are still ZERO OSX computer viruses after sixteen years. Perhaps they'll have better luck on Windows.
The application, which costs between $79.99 and $400 depending on the version, can also be used to retrieve backups from Windows Live (now OneDrive) and to unlock access to BlackBerry, BlackBerry 10 and iOS backups.
All you need is someone's iCloud password and then, two-factor authentication or not, you can download the content of their iCloud backups in minutes..
Seriously? What service can one NOT "hack" an account if you HAVE THE PASSWORD???? Ugh. So lets read down a bit farther:
As Nik Cubrilovic outlines in his excellent post on the data theft, there are a few common vectors (that is, attack holes) for obtaining an iCloud password. Cubrilovic lists them in order of popularity and effectiveness:
Password reset (secret questions / answers)
Phishing email
Password recovery (email account hacked)
Social engineering / RAT install / authentication keys
In other words - the EXACT same methods that prey on idiots that are totally effective on ANY and ALL services - regardless of platform, computer, or software company.