iCloud two-step verification
Apple ID holders with two-step verification enabled may see a few more padlocks on their iCloud screens. Screenshot/Apple

This time Apple acted fast. The tech giant has fixed a security flaw that targeted iCloud customers who used common Internet passwords. Known as iDict, the hacking tool was released on New Year’s Day and patched days later, a quick turnaround that comes after Cupertino was criticized for doing too little to prevent last year’s attack on the iCloud accounts of a number of female celebrities.

The iDict tool, first uploaded to GitHub, uses what’s known as a “brute force” method to gain entry to any number of potential accounts. It subverted Apple’s security methods by overriding the maximum number of log-in attempts, which normally locks a user out of an account after too many failed entries.

iDict broke into the accounts by automatically trying every phrase on a list of the 500 most commonly used words in passwords.

Anyone who uses simple passwords or passwords tied to their public, online persona is advised to change them immediately. The iDict list clearly sought to exploit this tendency by containing passwords as basic as: P@ssword, Password2, Whatever1, Bigdaddy1 and hundreds more. It also claimed to render useless Apple’s two-step verification-protection process.

“The bug is painfully obvious, and it was only a matter of time before it was privately used for malicious or nefarious activities,” the creator, who identified himself only as Prox13, explained in the initial GitHub announcement. “I publicly disclosed it so Apple would patch it.”

That, according to Prox13, is exactly what Apple did.

Apple hasn’t spoken publicly on the matter (the hack’s patch was first revealed by Business Insider), but the urgency could stem from the high level of embarrassment surrounding the hack that led to the spread of nude photos of celebrities including Jennifer Lawrence, Kate Upton, Rihanna and dozens of other A-listers.