Is Poor iCloud Security To Blame For Celebrity Photo Leak?

Following the shocking leaks of celebrity nude photos, Apple is now looking into it's security systems for answers.

Apple has for the first time acknowledged reports of an untold number of nude or compromising photos allegedly stolen from celebrities' Apple iCloud accounts.

"We take user privacy very seriously and are actively investigating this report," Apple representatives told Mashable.

While that doesn't admit any kind of culpability in the attack, which was first reported Sunday, security experts are already pointing the finger at not one but two flaws in iCloud security.

According to a report in TheNextWeb, a hack called iBrute was posted Saturday on GitHub by mobile security firm HackApp.

Though technically a mere proof of concept, it showed hackers how to exploit an apparent "brute force" vulnerability in the Find My iPhone API.

Find My iPhone is part of a trio of services connected to iCloud, including Photo Stream and Apple's password manager, iCloud Keychain.

A brute-force security attack is essentially a trial-and-error-way of breaking through security, and it usually only works if there is a weakness in the security of a system that allows an unlimited number (or a very high number) of login attempts.

Most systems you log into protect from brute-force attacks by locking up the system or the account, usually temporarily, after a certain number of failed login attempts. The iPhone itself, for instance, will lock you out for a few minutes if you try the wrong security passcode too many times in a row.

But apparently Find My iPhone did not have any such limits — until just now. Early Monday, HackApp reported that Apple had patched the vulnerability.

Apple has not confirmed or denied the existence of any such vulnerability or patch.

According to Andrey Belenko, senior security engineer for mobile security firm viaForensics, iBrute was posted roughly 36 hours before the first photos leaked, which may not have been enough time for such a brute force attack to work.

Even if all this is true, why were so many accounts apparently hacked? A leading theory is that there were a handful of accounts that were used to find contact details, including email addresses, for the others.

With those IDs in hand, the hackers simply continued to apply the brute-force attack (probably starting with the same list of potential passwords that was posted along with iBrute) until they had access to other accounts' iCloud data — including, crucially, Photo Stream (iOS photos stored in iCloud).

There's also the possibility that the photos, some of which are confirmed as authentic, may have come from a different source. Belenko, for one, is not so sure there's a cause and effect here.

When asked if he or HackApp felt at all responsible and if they had given Apple a chance to patch the alleged hole before presenting iBrute, he replied on Twitter: "Don't know if it was disclosed (it should've been). I don't think that tool and the leak are connected though."


Eyewitness? Submit your stories now via social or:


Recommended articles

Buhari greets Reps Speaker, Gbajabiamila at 59

Buhari appoints Jime as Executive Secretary of Nigerian Shippers Council

Sanwo-Olu rewards Ajunwa with 3-bedroom flat 25 years after her Olympic feat

President Buhari allocates 3-bedroom houses to 1994 Super Eagles squad

President Buhari is off to London again to keep a date with his doctors

Gbajabiamila celebrates birthday mate Gov Sanwo-Olu at 56

Reps accuse Polaris Bank of suspicious dealings over $300m NNPC deposit

Ondo University students protest over rape, armed robbery by hoodlums

CDS Irabor meets with retired officers from South West on security challenges