Minacriss web services exposed sensitive information from 20k users. Two developers found an Important Security leak on the Minacriss tools and website minamdm.com ( it’s now offline ), one of the most used bypass iCloud software. According to James Duffy and Daniyal If you are a user of Minacriss services, change your passwords IMMEDIATELY. They have discovered a vulnerable system owned by Minacriss that is directly exposed to the internet holding sensitive data.
Important Security Notice Minacriss Activator (icloud bypass)
“Full names, email addresses, usernames/passwords of over 20,000 users are stored and exposed. Please share this post if you know of any users of these tools. We have tried contacting Minacriss to no avail so this was a last resort. Following a fix, we will release full details.”
Until the issue has been fixed we will not release any further details of the vulnerability. We are releasing this purely for the safety of the users of these services.
James Duffy will post on his personal blog more information about the exposed sensitive data on the minacriss services and website. we will update this information if it’s relevant for the security of the iCloud bypass users.
An extract of the Minacriss user database.
Following successful exploitation, I attempted to retrieve the first 5 records in the database, and was presented with the ID of said user, the password hash (Which for clarify can be cracked very easily on a modern machine), full name of the user, username, and amount of credits on account. Email addresses were also pulled from another table. Minacriss also kindly included his root password for the server in his database.. Not so great, as this could reveal even more personal data.. As a little extra, I was also able to mark the invoices in his system in my generated account to ‘PAID’!
Also F3arRain server keeps users personal data into the server.
“Following analysis from Twitter user @IFPDZ, it’s also confirmed that the F3arRain iCloud bypass is exfiltrating the Decrypted Keychain from the device, holding usernames and passwords to your online services. The Accounts database information is also uploaded, which contains Sync tokens for the majority of the applications installed on your device, potentially taking control of all your online accounts and services.”
The following screenshots have been provided by @IFPDZ showing a selection of his findings: