A security researcher has reported a vulnerability in the 2-Factor Authentication system of Apple iCloud. The iCloud vulnerability allowed hackers to take over an account by just knowing the victim’s phone number. The vulnerability has since been patched, and it no longer works.

Laxman Muthiyah from The Zero Hack was able to hack an iCloud account by using a ‘race hazard-based brute forcing’ technique. This technique is a bit different from the typical brute force technique. In this, a hacker exploits the server’s race condition vulnerability and sends multiple concurrent requests to reset the password.

Companies, to avoid this race condition exploit, add a limit to the number of requests one can send to reset a password. Apple has a limit of a maximum of 5 attempts, after which it blocks the account ‘for a few hours.’ However, the hacker sent multiple requests from different IPs to fool the system and hacked into an iCloud account.

Muthiyah says that if you know a person’s phone number, you can brute force the 6-digit 2FA code to reset an account’s password. However, after six failed attempts, Apple blocks the IP address to prevent the hacker from generating further requests. These are some things Muthiyah found after testing Apple’s security system:

• iforgot.apple.com resolves to 6 IP addresses across the globe – (17.141.5.112, 17.32.194.36, 17.151.240.33, 17.151.240.1, 17.32.194.5, 17.111.105.243).
• There were two rate limits we have seen above, one is triggered when we send more than 5 requests to forgot password endpoint (http://iforgot.apple.com/password/verify/smscode) and another one is across the apple server when we send more than 6 concurrent POST requests.
• Both these rate limits are specific to apple server IP which means we can still send requests (within limits though) to another apple server IP.
• We can send up to 6 concurrent requests to an apple server IP (by binding iforgot.apple.com to the IP) from a single client IP address as per their limits. There are 6 apple IP addresses resolved as mentioned above. So we can send up to 36 requests across the 6 apple IP address (6 x 6 = 36) from a single IP address.
• Therefore, the attacker would require 28,000 IP addresses to send up to 1 million requests to successfully verify the 6 digit code.

Muthiyah reported the issue to Apple in June 2020. In a reply, Apple wrote to Muthiyah saying that the hack only works with Apple accounts that have never been signed into an iPhone, Mac, or iPad, and acquiring 28,000 IP addresses isn’t easy for anyone — thus limiting the possibility of such a hack.

Apple finally released a fix for the issue in April 2021. After a lot of emails between Apple and Muthiyah, Apple offered him $18,000 in the bug bounty reward program. However, Muthiyah declined the offer citing the offer was ‘unfair’ for the amount of impact it could’ve created.

You can read the whole story of how Muthiyah was able to break into the iCloud 2FA system here.