Security Experts:

Apple Patches Vulnerability Possibly Linked to Celebrity Picture Leaks

Apple has patched a flaw that may be linked to the leak of salacious celebrity photos on the Web.

The flaw existed in the 'Find My iPhone' service. In order to use it, hackers would need to know the username of the account they are targeting. The vulnerability allowed attackers to guess passwords repeatedly without being locked out and without notifying the account owner. If the password was successfully guessed, the attacker could then access the iCloud account.

A tool for brute forcing the accounts was posted on GitHub. News of the patch followed reports that nude photos of celebrities such as 'Hunger Games' actress Jennifer Lawrence and model Kate Upton had been leaked on the Internet, and Anonymous and 4chan users claimed to have taken images from roughly 100 different celebrity accounts.

"There have been claims that iCloud may be involved, but it’s tricky to confirm even if all of the celebrities affected use Apple devices," blogged security researcher Graham Cluley. "Many folks are blissfully unaware about iPhone photos being automatically sent to an Apple iCloud internet server after it is taken. That’s great in some ways – it means it’s easily accessible on our other Apple devices – but might be bad in others."

The tool posted to GitHub was developed by HackApp, which also posted slides and a presentation about iCloud security online.

Rik Ferguson, Trend Micro's global vice president of security research, advised people to not reuse passwords across multiple sites and to enable any security options an online service they are using offers.

"Even if you feel that turning on two-factor authentication may be slightly more inconvenient for you when logging in, I’m willing to bet that a compromise of a service at the heart of your digital life will be considerably more so," he blogged.

"As for those security or password reset questions, consider whether the answers are really secure," he added. "Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school” or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember."

Subscribe to the SecurityWeek Email Briefing
view counter