Celebrity photo iCloud update: Find My iPhone features likely the weak link

Apple has said that it is investigating the violation of its iCloud accounts, resulting in the widespread distribution of many notable Hollywood celebrity femme fatales. This also confirms that there was unauthorized access to the iCloud accounts.

Nothing has been announced from Cupertino as to how the hacks were carried out, but some evidence is pointing to a vulnerability in iCloud’s Find My iPhone feature, exploited by a Python script that was published on GitHub a few days ago as a proof-of-concept demonstration.

The script is called iBrute, and it is a brute force approach to get access through email and password combination queries until it strikes gold. Most services have a limit to the number of user ID and password attempts that can be made before locking the account down. Until last night, Apple’s system allowed an unlimited number of queries.

Even with unlimited queries though, something as simple as a second step of authentication might have stopped the "hacker." Called two-step verification, many services have it available as an option, including Apple ID, but these features are not strongly promoted across the board. In Apple’s case, two-step verification was initially implemented early last year, and widely expanded only a couple months ago.

What is interesting about this development is that this may not be the first time we have seen this Apple ID feature exploited through “brute force.” This past spring, a number of iPhone and iPad users in Australia found their accounts had been hijacked by “hackers” (it really is not a hack rather, it is a trial-and-error approach) who then demanded a ransom to return control of the accounts to the original user. In that instance, accounts with two-step verification were not affected.

What is even more telling about this breach is the apparent lack of notifications to the account holder over repeated access attempts, and apparently no pro-active scanning for familiar IP address subnet or computer identifications. Have you ever tried to log into some of your online services from a new computer only to be immediately challenged to prove who you were solely because it was a different machine?

Among the A-list celebrities who found their private photos scattered all over the internet were Jennifer Lawrence, Kate Upton, Rihanna, Mary Winstead, and Vanessa Hudgens. More than 100 accounts were compromised.

As we noted in our earlier article, taking responsible steps to protect one's digital profile is a personal responsibility. As consumers we are responsible for what we do (such as not leaving valuables in plain sight in a locked car), and that includes using the available tools to protect what we deem valuable. In this case though, it looks like Apple has some work to do (i.e. the locked car may have defective locks) to bring some more robust consumer protections to its online services. Moreover, a revision in how cloud services are, or are not, enabled by default on Apple’s products would serve everyone better.

sources: re/code, Jonathan Zdziarski, and Redmond Pie