This could be the iCloud flaw that led to celebrityphotos being leaked (Update: Apple is investigating)

thenextweb.com /apple/2014/09/01/this-could-be-the-apple-icloud-flaw-that-led-to-celebrity-photos-being-leaked/

Owen Williams

1 September '14, 01:05pm

An alleged breach in Apple’s iCloud service may be to blame for countless leaks of private celebrityphotos this week.

On Monday, a Python script emerged on GitHub (which we’re not linking to as there is evidence a fix byApple is not fully rolled out) that appears to have allowed malicious users to ‘brute force’ a targetaccount’s password on Apple’s iCloud, thanks to a vulnerability in the Find My iPhone service. Brute-force attacks consist of using a malicious script to repeatedly guess passwords in an attempt todiscover the correct one.

The vulnerability allegedly discovered in the Find My iPhone service appears to have let attackers usethis method to guess passwords repeatedly without any sort of lockout or alert to the target. Once thepassword has been eventually matched, the attacker can then use it to access other iCloud functionsfreely.

via Imgur

Users on Twitter were ableto use the tool from GitHub— which was published fortwo days before beingshared to Hacker News —to access their ownaccounts before it seemsApple patched the holetoday. The owner of the toolnoticed it was patched at3:20am PT.

When we tested the tool, it locked out our accounts after five attempts, meaning that the Pythonscript certainly tries to attack the service but Apple has patched the hole.

We discussed the tool with its creator, Hackapp, over Twitter, who said “this bug is common for allservices which have many authentication interfaces” and that with “basic knowledge of sniffing andreversing techniques” it is “trivial” to uncover them. When asked if the method could have been used inthe celebrity hack today, Hackapp said “I’ve not seen any evidence yet, but I admit that someone coulduse this tool.”

Hackapp also posted a slideshow that details the tool, why it was created and identifies other problemsin iCloud keychain’s security. We’re not able to verify all the claims in the slideshow, but the creatorpoints out the flaws we mentioned in the slide below.

It’s unclear how long this holewas open, leaving those withsimple, guessable passwordseasily attacked once hackers hadan email address to target. Thereis still no concrete evidence thatthese images were leaked viaiCloud and may have insteadbeen obtained via multipleattacks, though the hacker thatoriginally leaked the imagesclaims that they were retrievedfrom iCloud.

A similar kind of attack hasoccurred before. Hackers havepreviously used Find My iPhoneto hold victims ransom, lockingtheir phones and demandingmoney in exchange for givingtheir phone back.

We’ve contacted Apple forcomment but have yet to receivea reply. Meanwhile, TheIndependent reported that Apple has “refused to comment” on any security flaw in iCloud today.

Update: “We take user privacy very seriously and are actively investigating this report,” Applespokeswoman Natalie Kerris told Recode.

Read next: Do you know where your photos are?

Image credit: Justin Sullivan/Getty Images