Bypass IPad 2 passcode with a smart cover

October 20th, 2011 by admin in Apple, Privilege Escalation

Anyone with a Smart Cover can break into your “password-protected” iPad 2. This issue occurs in iOS 5, but we’re hearing uncorroborated reports of it also working in earlier versions of iOS 4.3.

What the flaw allows:

As you can see in the video above, a Smart Cover can essentially unlock an iPad 2. The person who unlocks your iPad 2 will not have complete access to your iPad, but will be able to gain entrance to whatever you locked your iPad 2 on. If your iPad 2 went to sleep in Mail, Safari, Messages, Contacts, or Maps, you can imagine the sorts of personal information that can be viewed on your iPad. If you left your iPad 2 on its Home screen, the person can view which applications you have on your device, control media from the multitasking bar, but not much else.

How to re-create it:

1) Lock a password protected iPad 2

2) Hold down power button until iPad 2 reaches turn off slider

3) Close Smart Cover

4) Open Smart Cover

5) Click cancel on the bottom of the screen


OS X Lion bugs allow changing local user passwords and viewing shadow files

September 20th, 2011 by admin in Apple, cracking, News, Privilege Escalation, Uncategorized

The latest version of OS X Lion allows any user to easily change the password of any local account, due to permissions oversights on Apple’s part. The news comes less than a month after another Lion vulnerability that let users bypass LDAP without a password gained notoriety.

Originally reported by Defence in Depth blogger Patrick Dunstan, the root of the newly discovered problem in Mac OS X 10.7 is tied to the user-specific shadow files used in modern OS X platforms. These files are essentially hash databases and contain, among other things, the user’s encrypted passwords. Ideally, they should be accessible only via high-privilege accounts.

According to Dunstan, Apple dropped the ball in terms of how Lion handles privilege. “Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data,” Dunstan wrote. “This is accomplished by extracting the data straight from Directory Services.” Any user can accomplish this trick by simply invoking the directory services listing using the /Search/ path — for example, $ dscl localhost -read /Search/Users/bob (where “bob” is the username). This causes Lion OS X to spew out the contents of Bob’s shadow hash file, including data that can be used to crack Bob’s password with a simple script, such as a Python script written by Dunstan.

Source: Info World

Top 10 iPhone unlock codes

June 16th, 2011 by admin in Apple, Password Info

In his last update to Big Brother Camera Security, Daniel Amitay added some code to record common user passcodes. Because Big Brother’s passcode setup screen and lock screen are nearly identical to those of the actual iPhone passcode lock, Daniel figured that the collected information would closely correlate with actual iPhone passcodes. Out of 204,508 recorded passcodes, the top ten most common were:
[1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212, 1998]


iPhone Password Bypass

March 25th, 2011 by admin in Apple

The following tutorial explains how to access an iPhone, iPad or iPod which is password protected.

If you are a Windows user, just download the free s/w iPhone Browser :

Connect the device {iPhone,iPod,iPad} and go to the following location.

var/keychains and delete the file, keychain-2.db

Once done, restart the device by pressing down and holding the home button+sleep button for 10 sec. and release when you see the black screen then after 3 sec, press the sleep/power button once

Your idevice will boot up but this time it will not ask for the password as we have deleted the database record for password.

The new threat

February 12th, 2011 by admin in Apple, cracking, Linux, Privilege Escalation, Uncategorized, windows

Programmable embedded devices have the capability of being detected as a HID device , just like a keyboard or mouse. So if you have physical access and a minute alone you can compromise a system with something the size of your thumb. The possibilities are endless, HTTP/FTP download, injecting binaries into debug or Powershell etc.. Also this device is cross platform which means Windows,Linux,UNIX and Apple are all vulnerable.

Here’s an example project we made for a Windows7 box that adds a new Admin user to the system and hides that user from the logon screen. the whole process takes about 16 seconds , with most of the time taken by the device being detected as a keyboard and the driver installed. The device costs about $20 and can be found here

Plain-text IPhone passwords

February 10th, 2011 by admin in Apple, cracking

Lost your IPhone passwords? Just jailbreak it and recover all of them, they’re all in plain-text 🙂

MAC Keychain Master Password Recovery Tool

November 23rd, 2010 by admin in Apple, cracking

Most Apple applications store the Login passwords and critical information to prevent hassle of entering the password every time by the user. Often these applications use their own proprietary encryption mechanism to store the credentials. But on Mac many applications use the Keychain files for storing the username,passwords and sometime even other critical data. In such cases KeychainRecovery helps in recovering the lost master password of the Keychain file.
You can download it from , the same site that brought you the Firefox Master password cracker.

Make calls from locked iPhone 4s

October 25th, 2010 by admin in Apple, Privilege Escalation

A security hole in iPhone 4 software allows you to make a call after dialing a few pound signs and timing a few others as found by a MacForums member.

When your iPhone is locked with a passcode tap Emergency Call, then enter a non-emergency number such as ###. Next tap the call button and immediately hit the lock button. It should open up the Phone app where you can see all your contacts, call any number, etc.

A very similar security flaw discovered on the iPhone that we blogged about in 2008 that allowed people to easily bypass the lock screen to access mail, contacts and bookmarks. Apple later acknowledged the bug and issued a software update patching the issue.

An Apple spokeswoman’s response regarding the security flaw:
“We’re aware of this issue and we will deliver a fix to customers as part of the iOS 4.2 software update in November.”

iPhone Password Cracker

August 6th, 2010 by admin in Apple, cracking

Russian password cracking software vendor ElcomSoft has recently released a tool which purportedly recovers the passwords stored on the latest iPhone’s without having to modify any data on the phone at all. The “iPhone Password Breaker” software works by recovering the password used to encrypt the keychain which the device uses to store the passwords for email accounts, websites, and software on the phone.

The software, which is aimed at Forensic Investigators, extracts the password from the keychain once it has been backed up to a computer. ElcomSoft has a variety of similar software that works with other file formats and platforms, such as ZIP and RAR file password crackers, Excel and Word, and a number of others. In the words of ElcomSoft:

ElcomSoft is world’s first to  unlock access to iPhone keychains. Prior to the release of the updated iPhone Password Breaker, the keychains were considered impossible to obtain. The ability to recover stored passwords without altering the phone’s content offers valuable court evidence to investigators and forensic authorities.

On previous versions of the iPhones, the keychains remained encrypted with a hardware-specific device key which was unique to each iPhone, even when exported to an external backup, however, since the release of iOS 4, this is no longer necessarily the case, as they can now be stored in backups that are encrypted only with the backup’s master password. If this password is known, it is possible to gain access to these encrypted keychains. If an unencrypted backup is made, though, the keychains are still protected with the phones hardware key, and therefore, to gain access to the keychains, a password-protected backup must first be made (seems counter-intuitive doesn’t it?).

The ElcomSoft iPhone Password Breaker also employs GPU Password Cracking technology to significantly increase the speed of recovery. A trial can be obtained at

Droid and Iphone lock-screen gesture passwords bypass

February 18th, 2010 by Dev Team in Apple, Life, Privilege Escalation

You know the lock-screen gesture protection used on Iphone/Android smartphones to prevent people from picking up your phone and having immediate access to all your personal information? Right, well, I hope you’re not relying on your phone’s swipe gesture protection to keep all your dirtiest secrets from falling into the wrong hands.
The next image is a good example of how easy it is to circumvent the Nexus One’s lock-screen gesture password.

« Previous ArticleNext Article »