Hacker Team Claims Compromise of Apple's iCloud and Activation Lock, Possibly via SSL Bug [Updated] - MacRumorsOpen MenuShow RoundupsShow Forums menuVisit ForumsOpen Sidebar
Skip to Content

Hacker Team Claims Compromise of Apple's iCloud and Activation Lock, Possibly via SSL Bug [Updated]

icloud_iconA pair of hackers from the Netherlands and Morocco, identifying themselves as AquaXetine and MerrukTechnolog, claim to have compromised the security of Apple's iCloud system for locking iOS devices.

The hack will unlock stolen iPhones by bypassing Activation Lock, making it possible for thieves to resell the phones easily on the black market, reports Dutch publication De Telegraaf [Google Translate]. It also may provide hackers with access to Apple ID passwords and other personal information stored in Apple's iCloud service.

The hackers reportedly worked on the vulnerability for five months, studying the transmission of data between iPhone handsets and Apple's iCloud services. The pair claim to be able to unlock a locked iPhone by placing a computer between the iPhone and Apple's servers. In this configuration, the iPhone mistakenly identifies the hacker's computer as one of Apple's servers and follows instructions provided by the nefarious computer to reverse activation lock on the handset.

While the hackers did not reveal precise information on how their intercepting computer can spoof Apple's iCloud activation servers, it appears that they may be taking advantage of an SSL bug that is present in iTunes for Windows, as noted by iPhone in Canada, who spoke to security researcher Mark Loman about the issue. The previously disclosed issue was fixed in iOS 7.0.6 and OS X 10.9.2, but it appears that iTunes for Windows is still affected.

After looking into some claims of the jailbreak community, Mark Loman decided to do some investigating of his own and made a shocking discovery. SSL has two tasks: one, to verify communication with the intended server; and two, to prevent manipulation.

“The problem is with verifying the certificate. Apple appears to have deliberately left out this essential step required for proper secure communication. They fixed it last month for iOS but forgot to fix it for iTunes. But the jailbreak community is already making use of it — which is how I figured it out.”

The vulnerability reportedly allows hackers to intercept Apple ID credentials, which can then be used to unlock iOS devices that have been locked after having been lost or stolen.

Actually, the data IS encrypted. But when an attacker strips SSL during a so-called man-in-the-middle attack the AppleID account name and password can be extracted as they are sent in plain text inside SSL, Mark Loman said in an email sent to iPhone in Canada.

Using this technique, the hackers claim to have unlocked 30,000 iPhones in the past few days. The group allegedly contacted Apple about this vulnerability in March, but Apple never responded, prompting the hackers to go public with the information.

Update 10:43 AM: One of the hackers has denied that the bypass involves an SSL bug.

Popular Stories

iCloud iPhone 17 Pro

iPhone Users Who Pay for iCloud Storage Get Two New Perks on iOS 27

Thursday July 2, 2026 6:10 am PDT by
If you pay for certain iCloud+ storage plans beyond the 5GB that Apple offers for free, you will receive two more perks on iOS 27 at no additional cost. A summary of the two new iCloud+ perks on iOS 27:Increased daily usage limits for some new Apple Intelligence features, including image generation in the revamped Image Playground app. HomeKit Secure Video cameras receive generated video...
iPhone 4 on Black Feature

Apple Facing One of Its Worst Leaks Since the iPhone 4

Thursday July 2, 2026 9:53 am PDT by
Apple supplier Tata Electronics recently suffered a cyberattack that resulted in thousands of confidential files being published on the dark web, and this reportedly included some photos and documents related to the upcoming iPhone 18 Pro. We have elected not to share any of the leaked photos in this story due to the illegal nature in which they were obtained, but they can easily be found...
Apple Event Logo

Apple Just Released a New Product

Thursday July 2, 2026 8:04 am PDT by
Apple's first product release of summer 2026 occurred this week, but do not get too excited, as it is merely the Beats Solo Buds in a new color. Beats Solo Buds are now offered in orange through Best Buy in the U.S., with availability set to expand to 7-Eleven stores in Japan on July 4. Apple already offered orange Solo Buds in India for free with the purchase of an iPhone 15 or iPhone 15 ...

Top Rated Comments

158 months ago
The group allegedly contacted Apple about this vulnerability in March, but Apple never responded, prompting the hackers to go public with the information.

In my opinion, that's the proper way to do it.

[LIST=1]
* Contact the manufacturer to inform them of the problem.
* Give them some time to fix it.
* If they haven't fixed it after a few months, go public to force them to react.
Score: 32 Votes (Like | Disagree)
Sky Blue Avatar
158 months ago
"The group allegedly contacted Apple about this vulnerability in March, but Apple never responded, prompting the hackers to go public with the information."

lol, Apple
Score: 27 Votes (Like | Disagree)
158 months ago
Annnnnnd cue the tech press over-reacting and blowing this way out of proportion.

Not that this isn't a serious flaw; it is. But because it's Apple it will be presented as the end of the world, and covered by every major news outlet where-as a similar bug in Android is barely mentioned by anyone at all.
Score: 10 Votes (Like | Disagree)
dannyyankou Avatar
158 months ago
The NSA new this all along.

*knew

Sorry, couldn't resist.
Score: 8 Votes (Like | Disagree)
158 months ago
They did, in March. Still not fixed.
So anyone can claim anything they want and people instantly believe them without a shadow of doubt? When did the public become so easily gullible?

I'm not saying its not true. I'm saying none of us know. Just because some hackers claim something doesn't make it true. And how exactly are they trustworthy to begin with? These are people hacking into places they shouldn't be, unlocking stolen phones, and you don't even have a sliver of doubt about their honesty?
Score: 8 Votes (Like | Disagree)
158 months ago
These billion dollar companies really need to stay on top of all this. They're happy to take your money but not so quick to safeguard your details.

And now there's trouble at eBay.
Score: 8 Votes (Like | Disagree)