|
|
|
|
|
|
by cantsingh
1832 days ago
|
|
|
You seem to have a lot of knowledge on this, so apologies if I am misunderstanding, but aren't you still overlooking the fact that that for iCloud accounts that hadn't been used on Apple devices (even if it was a small subset of devices), he was able to reset the provided password via concurrent brute-forcing the OTP endpoint? Isn't that alone sufficient to demonstrate complete iCloud account takeover? Agreed that this should not be taken as proof that the other reset flow was not vulnerable, but to me it seems like two separate issues. |
|
|