Apple has for the first time acknowledged reports of an untold number of nude or compromising photos allegedly stolen from celebrities' Apple iCloud accounts.
Is Poor iCloud Security To Blame For Celebrity Photo Leak?
Following the shocking leaks of celebrity nude photos, Apple is now looking into it's security systems for answers.
"We take user privacy very seriously and are actively investigating this report," Apple representatives told Mashable.
While that doesn't admit any kind of culpability in the attack, which was first reported Sunday, security experts are already pointing the finger at not one but two flaws in iCloud security.
According to a report in TheNextWeb, a hack called iBrute was posted Saturday on GitHub by mobile security firm HackApp.
Though technically a mere proof of concept, it showed hackers how to exploit an apparent "brute force" vulnerability in the Find My iPhone API.
Find My iPhone is part of a trio of services connected to iCloud, including Photo Stream and Apple's password manager, iCloud Keychain.
A brute-force security attack is essentially a trial-and-error-way of breaking through security, and it usually only works if there is a weakness in the security of a system that allows an unlimited number (or a very high number) of login attempts.
Most systems you log into protect from brute-force attacks by locking up the system or the account, usually temporarily, after a certain number of failed login attempts. The iPhone itself, for instance, will lock you out for a few minutes if you try the wrong security passcode too many times in a row.
But apparently Find My iPhone did not have any such limits — until just now. Early Monday, HackApp reported that Apple had patched the vulnerability.
Apple has not confirmed or denied the existence of any such vulnerability or patch.
According to Andrey Belenko, senior security engineer for mobile security firm viaForensics, iBrute was posted roughly 36 hours before the first photos leaked, which may not have been enough time for such a brute force attack to work.
Even if all this is true, why were so many accounts apparently hacked? A leading theory is that there were a handful of accounts that were used to find contact details, including email addresses, for the others.
With those IDs in hand, the hackers simply continued to apply the brute-force attack (probably starting with the same list of potential passwords that was posted along with iBrute) until they had access to other accounts' iCloud data — including, crucially, Photo Stream (iOS photos stored in iCloud).
There's also the possibility that the photos, some of which are confirmed as authentic, may have come from a different source. Belenko, for one, is not so sure there's a cause and effect here.
When asked if he or HackApp felt at all responsible and if they had given Apple a chance to patch the alleged hole before presenting iBrute, he replied on Twitter: "Don't know if it was disclosed (it should've been). I don't think that tool and the leak are connected though."
JOIN OUR PULSE COMMUNITY!
Eyewitness? Submit your stories now via social or: