iCloud accounts at risk of brute force attack as hacker exploits 'painfully obvious' password flaw

A developer claims to have discovered a flaw in Apple's iCloud security where an automated piece of software can be used to repeatedly guess a target's password.

Called iDict and submitted to GitHub, the tool claims to be able to perform a password dictionary attack, automatically guessing through a list of 500 commonly used passwords in an attempt to gain access to any iCloud account.

The creator of the software, called @Pr0x13, said: "This bug is painfully obvious and was only a matter of time before it was privately used for malicious or nefarious activities. I publicly disclosed it so Apple will patch it."

It was revealed last year that such an attack - known as brute force - had been used to access numerous celebrity iCloud accounts, leading to the theft and leaking of private images taken with their iPhones.

Although it could be a coincidence, the Photos app is currently missing from iCloud's website with no explanation from Apple as to why.

Last September, Apple said it had made changes to iCloud security and introduced a measure to stop software from making multiple automated guesses. While this is the case when trying to log in on a computer, unlimited guesses can be made using an iOS device, which is what this software pretends to be when accessing iCloud from a computer running it.

Described by its creator as exploiting a "painfully obvious" security hole, iDict is far from sophisticated, as it simply guesses the 500 passwords it has access to, then reports "100%" success, whether the correct password is found or not. The list includes phrases like 'Password01' and 'Pa55word' as well as common names and sequences like 'abc123ABC'.

Only those who use a password on this list - and who don't have two-factor authentication activated on their account - are at risk from being hacked with this method, but it does prove that Apple hasn't successfully prevented the use of brute force attacks. A hacker with a much longer list of potential passwords could theoretically use it to guess their way in.