Apple's well known for it's secure services and devices. After all, with the amount of credit card data the company possesses due to iTunes, one has to take appropriate security measures. However, it seems like Apple has failed in one critical area - iCloud, and the cost of this failure has resulted in pictures of countless celebrities being leaked online.
The list of celebrities affected by this breach inlcude Jennifer Lawrence, Kirsten Dunst, Kate Upton, Avril Lavigne to name a few. The images surfaced late last night. According to anonymous 4Chan users, the photos have been grabbed from Apple's iCloud servers.
Photos aren't the only items acquired by the hacker. According to 4Chan users, the hacker also has videos in his possession, which he/she intends to sell to TMZ. Several celebrities have confirmed that the photos are authentic indeed. But further confusion has been spread in the mix by several claims, including Mary Winstead who claims that the photos were deleted ages ago.
Several others are claiming that the images are fake. A spokesperson for Ariana Grande claimed that the images are 'completely fake', while Victoria Justice herself has denied their authenticity via twitter.
However one fact remains that if the hacker is indeed in possession of videos then it must be noted that photos do not work with My Photo Stream. However, an iOS device does automatically back photos up to iCloud during a complete device backup. Trisha Hershberger claims that she does not even use an iPhone or an iOS device and that her pictures are fake as well.
The source of this breach of privacy might have been a vulnerability in the Find my Phone services. According to thenextweb, a python script which emerged on Monday allows hackers to brute force a target's iCloud password. This is due to a vulnerability in the Find my iPhone service. Following the principles of brute force, the vulnerability allows hackers to guess passwords repeatedly without any repercussions.
A tool to exploit this was uploaded to GitHub and it remained there for two days before being shared on HackerNews. The presence of this vulnerability for two days before being discovered and the subsequent appearance of photos does form a link between events.
Apple patched this vulnerability today at 3:20 am PT but before this countless twitter users were able to download the tool and use it to crack their own passwords. A brute force loophole combined with weak passwords creates a perfect opportunity for data leak.
The tool's creator, HackApp claims that the loophole has been patched as of now. So stay safe folks, and pick strong passwords for all of your accounts.
Update: In a statement given to Re/Code regarding the alleged iCloud hacking incidents, Apple spokeswoman Natalie Kerris said: “We take user privacy very seriously and are actively investigating this report.”
As is Apple tradition, Cupertino has remained largely silent on this issue. Some experts are suggesting that had two factor authentication been enabled on compromised accounts, then this whole fiasco could have been easily avoided.
This 'two-step' authentication in Apple terms sends a numerical code to user device. This code is required for authentication in addition to regular passwords. Since the code regularly changes, it makes it a little bit more difficult to crack accounts which use this process.
Update 2:Apple's investigation is over and results are out. You can view them here.