Advertisement

iCloud password hack published, blocked as celebrity photo theft confirmed [Updated: Apple comment]

ibrute github listing

If you've been enjoying the US holiday weekend away from sources of news, well done. If not, you may well have seen reports of a large cache of explicit photos of celebrities being published to 4chan's image boards, including Academy Award winner Jennifer Lawrence, supermodel Kate Upton and other female and male actors. The publisher apparently was seeking Bitcoin contributions in exchange for the images. While several of the people pictured in the image cache have called the images fakes, others have acknowledged that the photos of them were unaltered.

Update 9/2: Apple has released a statement confirming that the company's investigation found no evidence that any of its services were compromised; the accounts affected were attacked using conventional (security question/username) password reset methods.

Update 2:35 pm ET: Over at The Guardian, tech reporter Charles Arthur summarizes the current thinking about the image release from security researchers. Some are surmising that these images were gathered over months or years (the earliest timestamps are from 2011, the most recent from last month) and then the repository itself was hacked or stolen. iCloud is still under scrutiny as a vector for gaining access to private images.

Update 6:50 pm ET: Re/code has a statement from Apple on the story; spokesperson Natalie Kerris says the company takes user privacy very seriously and is actively investigating.

Early reports noted the alleged hacker's assertion that an iCloud exploit was used to gain access to the target accounts and harvest the images. That has not been confirmed in any way (security researchers are eyeing several other services including Dropbox as potential attack vectors), but both The Next Web and our own former contributor Richard Gaywood took note of the release this weekend of an iCloud password crack tool that could, theoretically, have been used to attack specific iCloud accounts. Our sister site Engadget has a good overview of how the attack would have worked.

The "ibrute" tool leveraged a security oversight -- a lack of brute-force protection -- within Apple's Find My iPhone tool. After the code was in the wild for a couple of days, Apple apparently patched the flaw, so the code is now only a proof of concept demonstration.

The core functionality was pretty simple: given a target iCloud account ID, ibrute would simply run through a list of the 500 most commonly used passwords that complied with Apple's password rules (sourced from the infamous RockYou hack that revealed millions of real-world passwords) and try to nail down the password for the account. Since the Find My iPhone API did not throttle or lock out after a certain number of guesses in a given time period, it was possible to "brute force" passwords without tripping any security alarms. This lockout is where Apple has now changed things; trying random passwords via the Find My iPhone API will now lock your account after five attempts.

One Next Web commenter pointed out that just having the iCloud password doesn't necessarily mean you have instant access to iCloud's Photo Stream; you would still need to log in via an iOS device, via iPhoto on a Mac or the iCloud control panel on a Windows PC. In theory, that should trigger a notification email to the account owner that a new device is connected -- but of course, if the hacker has the victim's account password, they've also got access to the iCloud email and could quickly delete the inbound email alert. [Update 9/2: Thinking that iCloud would send an email was over-optimistic; see here.]

Apple's two-factor authentication setting for iCloud does require entering a security code for certain kinds of account actions, but it's not clear that "accessing Photo Stream photos from a new PC" is one of the triggers. (I'm testing this now.) [Test and documentation show it's not one of the triggers.]

As our friend Christina Warren noted in her solid summary of iCloud security over at Mashable, we don't know at this stage whether or not iCloud is implicated as a vector for this most public hack; that said, there are steps you can take today (complex, longer passwords; avoiding password reuse; 2-factor auth; turning off iCloud backup for photos if they are sensitive or compromising) which will provide you better security and more peace of mind regardless.