Normally I don’t do this, but I had to write about it. Yesterday, Mashable was obviously looking to sell more ads when they posted an article titled “How I Hacked My Own iCloud Account, for Just $200”.
If you want real information, scroll down to the comments. Mashable’s readers have more common sense than the journalist who wrote the article.
Some gems:
In fact, I was able to use an iBrute-like tool to crack my own password (which, to be clear, was chosen to be extremely easy to crack. Like, it was Passw0rd1. Apple wouldn’t let me use Passw0rd, but Passw0rd1 was just fine.).
or
A small program is included with EPPB that can be run from the command line on Windows or OS X. The program searches to see if a user has the iCloud Control Panel for Windows installed (or if the user is logged into iCloud in OS X) and if it is, it copies an authentication token from the proper place and copies it to a text file for easy copying.
To the best of my knowledge, OS X stores that token in Keychain Access, which should be kept locked at all times with your computer admin password.
And then:
As a test, I decided to see if I could successfully reset the Apple ID account password for my sister (sorry, Kelley). I entered in her iCloud username and her birthdate, and then came across two security questions.
It turns out, I only knew the answer to one of the question. Simply hitting “refresh” on the question page, however, led me to a new combination of questions. Eventually, I managed to get a pair of questions I could answer. Voila [sic], reset.
So let’s get clear, the experiment was carried out after setting a weak password, having physical access to a Mac and using social engineering techniques on the journalist’s sister. Ok..
In other news, Apple said it will step up security measures to make it more difficult to get access to an iCloud account.
In most cases, the weakest link in security is always a person. Remember to use these techniques to protect your account.