A flaw in Apple’s “Find My iPhone” service could have been behind an attack that led to hundreds of celebrities’ iCloud accounts being compromised.
A proof-of-concept Python script developed by HackApp for brute forcing iCloud had been circulating online for several days before nude photos of 17 famous women, including Hunger Games actress Jennifer Lawrence and Scott Pilgrim lead actress Mary E Winstead appeared online – apparently stolen from their iCloud accounts.
The hacker claimed to have pictures of over 100 female celebrities in total.
The code apparently lets attackers guess passwords repeatedly through Find My iPhone without triggering a lockout or alerting the target.
Once the password had been discovered, the attacker could then use it to access other areas of iCloud.
Apple has since patched the hole, although there are claims being made on Reddit that the patch is only active in certain regions.
However, security researcher Graham Cluley has claimed it’s “hard to believe that this could have been successfully used against a wide number of accounts without detection in a short space of time”.
Another option put forward by Cluley and other researchers is that the victims of the attack had either an easy-to-guess password or password reset answers.
“Many sites give you a ‘forgot your password’ option, or ask you to jump through hoops by answering ‘secret questions’ to prove your identity,” Cluley said.
“However, in a celebrity’s case, it may be particularly easy to determine the name of their first pet or their mother’s maiden name with a simple Google search,” he added.
Rik Ferguson, a security researcher with Trend Micro, also said “a wide scale ‘hack’ of Apple’s iCloud is unlikely”, pointing out that even the original poster hadn’t claimed that was the case.
He, like Cluley, suggested the attacker may have used the “I forgot my password” link if they already knew and had access to the email addresses the victims were using for iCloud. He also suggested the celebrities in question may have fallen victim to a phishing attack.
Twitter reaction and legal threats
While the photos were initially leaked on 4chan, it didn’t take long for the pictures of Jennifer Lawrence in particular to start appearing on Twitter.
Within about two hours, Twitter had begun suspending all accounts that had published any of the stolen photos, but according to a timeline from The Mirror, the social network was playing a game of “whack-a-mole”, with new pictures continuing to appear for well over an hour after it started to act.
Mary E Winstead took to Twitter herself to call out both the person who published the pictures and those who were looking at them.
To those of you looking at photos I took with my husband years ago in the privacy of our home, hope you feel great about yourselves.
— Mary E. Winstead (@M_E_Winstead) August 31, 2014
However, she eventually had to withdraw from the platform to get away from the abusive messages she was receiving
Going on an internet break. Feel free to my @’s for a glimpse of what it’s like to be a woman who speaks up about anything on twitter
— Mary E. Winstead (@M_E_Winstead) September 1, 2014
Jennifer Lawrence’s spokesperson has already said they will be pursuing legal action against anyone distributing the photos.
“This is a flagrant violation of privacy. The authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence,” they said.
In 2011, similar action was taken when the emails of 50 celebrities including Scarlett Johansson and Christina Aguilera, were hacked and nude photos stolen and publicly disseminated.
Following an FBI investigation, the perpetrator, Christopher Chaney of Jacksonville, Florida, was sentenced to ten years in jail.
Security countermeasures
While non-celebrities are less likely to have their nude photos distributed quite so widely as a famous person’s, it can and does still happen.
Security specialists have said this incident should serve as a reminder of the importance of having effective security measures in place for any online service and encourage users to be mindful of what’s uploaded to the cloud.
“With today’s devices being very keen to push data to their own respective cloud services, people should be careful that sensitive media isn’t automatically uploaded to the web, or other paired devices,” Chris Boyd, malware intelligence analyst at Malwarebytes, told PC Pro.
Ferguson suggested it was possible the people who had fallen victim to the attack had forgotten or didn’t realise that Apple syncs photos in a user’s iPhone or iPad Photo Stream automatically to their iCloud.
“In this case it seems that some of the victims may have believed that deleting the photos from their phones was enough,” he said.
Both Boyd and Ferguson recommend finding out if and how backups or “shadow copies” of data stored in a cloud service are taken and how they can be managed.
Stefano Ortolani, security researcher at Kaspersky Lab, also suggested users should “cherry-pick” which data is stored in the cloud and disable auto-syncing.
“You could also argue that smartphones, which are continually connected to the internet, are not the best place for nude pictures,” said Boyd – a sentiment echoed by Cluley and Ferguson.
PC Pro contacted Apple to ask whether the company was aware of a wide-scale hack of its iCloud service, but had not received a response at the time of publication.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.