Security News > 2021 > June > Researcher Claims Apple Downplayed Severity of iCloud Account Takeover Vulnerability
A security researcher claims he discovered a critical vulnerability in Apple's password reset feature that could have been used to take over any iCloud account, but Apple has downplayed the impact of the flaw.
The issue, researcher Laxman Muthiyah says, was a bypass of the various security measures Apple has in place to prevent attempts to brute force the 'forgot password' functionality for Apple accounts.
The researcher discovered that an attacker could send the requests using cloud services that are not blocked, enabling them to brute-force the 6-digit code and gain access to the targeted iCloud account.
The researcher claimed Apple did not notify him when it fixed the issue.
"If they did patch it after my report, the vulnerability became a lot more severe than what I initially thought. Through brute forcing the passcode, we [would] be able to identify the correct passcode by differentiating the responses. So we not only can take over any iCloud account but also discover the passcode of the Apple device associated with it. Even though the attack is complex, this vulnerability could hack any iPhone / iPad that has a 4 digit / 6 digit numeric passcode if my assumption is right," he says.
Apple offered the researcher an $18,000 bug bounty reward, but he refused it, saying that the company significantly downplayed the impact of the flaw, and that it should have awarded him $100,000 or even as much as $350,0000.