Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Apple Patches Vulnerability Possibly Linked to Celebrity Picture Leaks

Apple has patched a flaw that may be linked to the leak of salacious celebrity photos on the Web.

Apple has patched a flaw that may be linked to the leak of salacious celebrity photos on the Web.

The flaw existed in the ‘Find My iPhone’ service. In order to use it, hackers would need to know the username of the account they are targeting. The vulnerability allowed attackers to guess passwords repeatedly without being locked out and without notifying the account owner. If the password was successfully guessed, the attacker could then access the iCloud account.

A tool for brute forcing the accounts was posted on GitHub. News of the patch followed reports that nude photos of celebrities such as ‘Hunger Games’ actress Jennifer Lawrence and model Kate Upton had been leaked on the Internet, and Anonymous and 4chan users claimed to have taken images from roughly 100 different celebrity accounts.

“There have been claims that iCloud may be involved, but it’s tricky to confirm even if all of the celebrities affected use Apple devices,” blogged security researcher Graham Cluley. “Many folks are blissfully unaware about iPhone photos being automatically sent to an Apple iCloud internet server after it is taken. That’s great in some ways – it means it’s easily accessible on our other Apple devices – but might be bad in others.”

The tool posted to GitHub was developed by HackApp, which also posted slides and a presentation about iCloud security online.

Rik Ferguson, Trend Micro’s global vice president of security research, advised people to not reuse passwords across multiple sites and to enable any security options an online service they are using offers.

“Even if you feel that turning on two-factor authentication may be slightly more inconvenient for you when logging in, I’m willing to bet that a compromise of a service at the heart of your digital life will be considerably more so,” he blogged.

“As for those security or password reset questions, consider whether the answers are really secure,” he added. “Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school” or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.”

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.