Celebrity photo iCloud update: Find My iPhone features likely the weak link

Celebrity photo iCloud update: Find My iPhone features likely the weak link
Apple has said that it is investigating the violation of its iCloud accounts, resulting in the widespread distribution of many notable Hollywood celebrity femme fatales. This also confirms that there was unauthorized access to the iCloud accounts.

Nothing has been announced from Cupertino as to how the hacks were carried out, but some evidence is pointing to a vulnerability in iCloud’s Find My iPhone feature, exploited by a Python script that was published on GitHub a few days ago as a proof-of-concept demonstration.

The script is called iBrute, and it is a brute force approach to get access through email and password combination queries until it strikes gold. Most services have a limit to the number of user ID and password attempts that can be made before locking the account down. Until last night, Apple’s system allowed an unlimited number of queries.

Even with unlimited queries though, something as simple as a second step of authentication might have stopped the "hacker." Called two-step verification, many services have it available as an option, including Apple ID, but these features are not strongly promoted across the board. In Apple’s case, two-step verification was initially implemented early last year, and widely expanded only a couple months ago.

What is interesting about this development is that this may not be the first time we have seen this Apple ID feature exploited through “brute force.” This past spring, a number of iPhone and iPad users in Australia found their accounts had been hijacked by “hackers” (it really is not a hack rather, it is a trial-and-error approach) who then demanded a ransom to return control of the accounts to the original user. In that instance, accounts with two-step verification were not affected.

What is even more telling about this breach is the apparent lack of notifications to the account holder over repeated access attempts, and apparently no pro-active scanning for familiar IP address subnet or computer identifications. Have you ever tried to log into some of your online services from a new computer only to be immediately challenged to prove who you were solely because it was a different machine?

Among the A-list celebrities who found their private photos scattered all over the internet were Jennifer Lawrence, Kate Upton, Rihanna, Mary Winstead, and Vanessa Hudgens. More than 100 accounts were compromised.

As we noted in our earlier article, taking responsible steps to protect one's digital profile is a personal responsibility. As consumers we are responsible for what we do (such as not leaving valuables in plain sight in a locked car), and that includes using the available tools to protect what we deem valuable. In this case though, it looks like Apple has some work to do (i.e. the locked car may have defective locks) to bring some more robust consumer protections to its online services. Moreover, a revision in how cloud services are, or are not, enabled by default on Apple’s products would serve everyone better.

sources: re/code, Jonathan Zdziarski, and Redmond Pie

FEATURED VIDEO

36 Comments

1. Mxyzptlk unregistered

Patch up time.

2. Mxyzptlk unregistered

Cue the haters. This is quick response and delayed like other OEMS tend to do.

5. xondk

Posts: 1904; Member since: Mar 25, 2014

Well at least they are admitting it. I'm not a hater, but apple has been wandering around saying that they protect people's privacy, and then to find that such basic features are missing from a place where people's private data is stored.... I predict celebs suing the hell out of apple because they promoted themselves as a secure service but shows to having lacked basic features such as spam attempt protection, ip tracing, or simply notifying user of several failed attempts...

7. Scott93274

Posts: 6032; Member since: Aug 06, 2013

If this article had Motorola as the one at blame and not Apple, everyone knows full well that you would be the biggest hater in the comments section. Enough with the double standards and admit that Apple make plenty of mistakes and iOS isn't half as secure as Apple fanboys such as yourself claim it is.

10. VZWuser76

Posts: 4974; Member since: Mar 04, 2010

So why no comment in the previous article about this defending them? Or did you have to wait until they announced they were working on it? I agree with Scott, if this was Motorola and not Apple, they would've been Satan incarnate, but Apple says they'll fix it so we'll give them a pass. What a joke. Any secure system, say like online banks, limits the number of attempts you can try to login before locking the account. Even though 2 step verification is available, why wouldn't they have that as a backup as well? Personal info is more valuable than money. You can always make more money, but personal info can screw up the rest of your life if it gets in the wrong hands.

13. meanestgenius

Posts: 21778; Member since: May 28, 2014

I find it extremely ironic that a hater and a troll such as yourself is calling others haters. Pot, meet Kettle...

26. thunder18

Posts: 154; Member since: Aug 06, 2009

Quick response you say? "What is interesting about this development is that this may not be the first time we have seen this Apple ID feature exploited through “brute force.” This past spring, a number of iPhone and iPad users in Australia found their accounts had been hijacked by “hackers” (it really is not a hack rather, it is a trial-and-error approach) who then demanded a ransom to return control of the accounts to the original user. In that instance, accounts with two-step verification were not affected."

31. Scott93274

Posts: 6032; Member since: Aug 06, 2013

Well for Apple, waiting years to get feature common on other devices is perfectly acceptable. so a 6 month turnaround on a massive flaw to gain access to someone's personal data is very quick for someone like Mxyzptlk.

36. BlankSpaceNai

Posts: 127; Member since: Apr 23, 2014

All I have to say is this. This isnt surprising in the least. You have a company who prides itself constantly with having high security. You have a public who believe apple's defenses are impenatrable. You have a public who are blindly loyal to their brand and what they say. Thats a gold mine to anyone who can 'crack it' Really..nothing is immune to the growth of technology, just because BACK THEN, there was no way to 'crack' it doesnt mean it will stay that way. People dedicated enough will find a way. >_> Really, it was only a matter of time, and if you believe that someone is really that 'invulnerable', then thats your fault for beliving such a thing.

35. willard12 unregistered

Cue the apologists. If this were Samsung, what would you be saying?

3. JakeLee

Posts: 1021; Member since: Nov 02, 2013

And how does it explain all the leaked video clips which aren't stored on iCloud? Something is fishy here.

8. Scott93274

Posts: 6032; Member since: Aug 06, 2013

Does iCloud not allow you to store video clips?

12. esperanza

Posts: 49; Member since: Mar 23, 2013

The celebrities' Dropbox and Google drive accounts were hacked with iCloud at the sametime in different ways

16. vincelongman

Posts: 5677; Member since: Feb 10, 2013

AFAIK only iCloud, Apple's Photo Stream (supports videos), and dropbox were 'comfirmed' by the leaker Now it seems Find My iPhone was the reason iCloud, Apple's Photo Stream and dropbox were able to be accessed Not a good look for Apple

27. -box-

Posts: 3991; Member since: Jan 04, 2012

It could have been a simple password exploit: Once the hackers brute-forced their way into the less-secure icloudy, they could/would have tried the sake password on other services, or variations thereof.

32. Scott93274

Posts: 6032; Member since: Aug 06, 2013

One thing that really bothers me is who's to say that they don't also have login information for several other celebrity accounts and just periodically check to see if anything intimate get's uploaded. Just because pictures weren't posted doesn't mean that accounts are safe. This could have long lasting effects if people don't completely reset their passwords. They did spend several months gathering these photos after all, how many additional accounts have been compromised and people just don't know it yet?

18. vincelongman

Posts: 5677; Member since: Feb 10, 2013

Kirsten Dunst comfirmed her pics were from her iCloudhttps://twitter.com/kirstendunst/status/506553772114317312 Videos were supposedly access from Photo Stream and Dropbox

4. Planterz

Posts: 2120; Member since: Apr 30, 2012

Thankfully I haven't uploaded pics of me with jizz all over my face (being a hetero male that isn't an international celebrity), so this doesn't really apply to me. But really, how effing stupid do you have to be...?

6. AlikMalix unregistered

"Likely" let's wait for a real update instead of feeding FUD

9. illusionmist

Posts: 157; Member since: Jan 29, 2013

I've seen no concrete evidence linking this to the leak. Sites keep using "iCloud" in the title only because some random dude in 4chan said so.

11. Scott93274

Posts: 6032; Member since: Aug 06, 2013

Can you read? The very first sentence is Apple taking responsibility for the leak. "Apple has said that it is investigating the violation of its iCloud accounts, resulting in the widespread distribution of many notable Hollywood celebrity femme fatales" When I say taking responsibility, I don't mean they're to blame, but they're taking action as a result. Had this been Google Drive or Drop Box, I doubt that they would have made such a statement.

14. Napalm_3nema

Posts: 2236; Member since: Jun 14, 2013

It was actually all three, but Apple has already issued an update to fix the iCloud problem.

15. Scott93274

Posts: 6032; Member since: Aug 06, 2013

You say that with such certainty, care to post a link to your source?

17. vincelongman

Posts: 5677; Member since: Feb 10, 2013

Kirsten Dunst comfirmed her pics were from her iCloud https://twitter.com/kirstendunst/status/506553772114317312

19. Sniggly

Posts: 7305; Member since: Dec 05, 2009

While iCloud was definitely involved, and anyone who denies it is a fu.cking idiot, security issues happen to all companies. It's not as likely but it could have even happened to Google. Unfortunately for Apple, this is damaging and high profile enough that a class action lawsuit could easily come out of this. The timing is also bad; if enough people pay attention to the "iCloud" part of the story, it could affect Apple's launch of the iPhone 6.

20. Scott93274

Posts: 6032; Member since: Aug 06, 2013

Oh snap... I never even thought of that. Though I doubt that diehard fans will let this influence their decision about buying the iPhone 6. Even though I hate the platform, I cannot deny that it's what a good number of people want. I'm curious to see what kind of backlash this leak causes for Apple.

21. Settings

Posts: 2943; Member since: Jul 02, 2014

Why does it have to be girl nudes to be leaked? How bout us ladies then? LOL! In the first place I have no trust in Apple's security and so is their devices. They always have a problem. Not like Android or WP.

22. GreekGeek

Posts: 1276; Member since: Mar 22, 2014

I have Don Cheadle and Morgan Freeman. PM me

23. Settings

Posts: 2943; Member since: Jul 02, 2014

No thanks! You can keep those.

24. xfire99

Posts: 1205; Member since: Mar 14, 2012

Where are those pictures? ;)

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.