Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Apple Patches Vulnerability Possibly Linked to Celebrity Picture Leaks

Apple has patched a flaw that may be linked to the leak of salacious celebrity photos on the Web.

Apple has patched a flaw that may be linked to the leak of salacious celebrity photos on the Web.

The flaw existed in the ‘Find My iPhone’ service. In order to use it, hackers would need to know the username of the account they are targeting. The vulnerability allowed attackers to guess passwords repeatedly without being locked out and without notifying the account owner. If the password was successfully guessed, the attacker could then access the iCloud account.

A tool for brute forcing the accounts was posted on GitHub. News of the patch followed reports that nude photos of celebrities such as ‘Hunger Games’ actress Jennifer Lawrence and model Kate Upton had been leaked on the Internet, and Anonymous and 4chan users claimed to have taken images from roughly 100 different celebrity accounts.

“There have been claims that iCloud may be involved, but it’s tricky to confirm even if all of the celebrities affected use Apple devices,” blogged security researcher Graham Cluley. “Many folks are blissfully unaware about iPhone photos being automatically sent to an Apple iCloud internet server after it is taken. That’s great in some ways – it means it’s easily accessible on our other Apple devices – but might be bad in others.”

The tool posted to GitHub was developed by HackApp, which also posted slides and a presentation about iCloud security online.

Rik Ferguson, Trend Micro’s global vice president of security research, advised people to not reuse passwords across multiple sites and to enable any security options an online service they are using offers.

“Even if you feel that turning on two-factor authentication may be slightly more inconvenient for you when logging in, I’m willing to bet that a compromise of a service at the heart of your digital life will be considerably more so,” he blogged.

“As for those security or password reset questions, consider whether the answers are really secure,” he added. “Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school” or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack