"Hacking" iCloud even with 2 step enabled?

[Primejimbo]

Anyone else read this?
http://www.engadget.com/2014/12/18/elcomsoft-phone-breaker-icloud-two-step/

An update to Elcomsoft's Phone Breaker software now makes it easier for bad guys to bypass Apple's vaunted new two-factor authentication to steal your iCloud stuff. As before, the hackers would need some information to start with -- either your Apple ID/password plus a two-factor code, or a digital token stolen from, say, your laptop. That would give them access to your account anyway, but here's the kicker: The Phone Breaker app can then create a digital token granting intruders permanent access without a two-step code until you change the password. It also allows someone to view all your iCloud files at a glance, making it easier to pick and choose which to steal. The tool is used legitimately by law enforcement to access lawbreakers' phones, but was also recently implicated in a celebrity phone hack.

 

[Ritsuka]

So what? Obviously if you have the appleid/password and a valid two-factor you can login, it's exactly what you use to log in iCloud. That means having access to a device where the two-factor code is sent.

A digital token is exactly what you use to stay logged in without re-entering the two-factor code each time. Obviously if you have it you can log-in too…

So there isn't anything new in Engadget article. It's just a third-party app you can use to access a iCloud account if you have the account credentials.

 

[Primejimbo]

So what? Obviously if you have the appleid/password and a valid two-factor you can login, it's exactly what you use to log in iCloud. That means having access to a device where the two-factor code is sent.

A digital token is exactly what you use to stay logged in without re-entering the two-factor code each time. Obviously if you have it you can log-in too…

So there isn't anything new in Engadget article. It's just a third-party app you can use to access a iCloud account if you have the account credentials.

I'm sorry, but I don't understand this... So if I go on iCloud.com, put in my info, get the 4 digit code from my phone, this is how they are getting this info? Is this only an issue if I select "i log on the computer frequently"? (or something close)

 

[Ritsuka]

Nobody is getting any info at all, there is no issue here.

The engadget article talks about a program to download data from iCloud. But that app works only if the person using it has:
your appleid, password and a valid two factor code.
a token stored on your computer.

And the only way for them to get it is to have access to your devices or your computer.

 

[Primejimbo]

Nobody is getting any info at all, there is no issue here.

The engadget article talks about a program to download data from iCloud. But that app works only if the person using it has:
your appleid, password and a valid two factor code.
a token stored on your computer.

And the only way for them to get it is to have access to your devices or your computer.

Thanks for clearing that up for me!

 

[Rigby]

I'm sorry, but I don't understand this... So if I go on iCloud.com, put in my info, get the 4 digit code from my phone, this is how they are getting this info? Is this only an issue if I select "i log on the computer frequently"? (or something close)

In the past the software used the token that is generated when you log in to iCloud in the settings on Mac or the iCloud app on Windows. Not sure if they can now also use the browser cookie that is used to store the token for access to icloud.com.

In order to get to the token, an attacker would either have to have physical access to your computer, or use some exploit to remotely install malware that could grab them and send them over the Internet. One thing to note is that you will not get an email notification when someone uses a token to access your account.