The day after private and nude photos of actress Jennifer Lawrence and other Hollywood celebrities were leaked online, Apple has reportedly patched a security gap that could have allowed hackers to access iCloud accounts.
It was reported that the vulnerability was exposed on the code hosting site Github. It says developers discovered that Apple’s “Find My iPhone” feature could be compromised by so-called brute force attacks which try password after password until the right one is found to unlock an account. From there, the hackers might have been able to figure out a user’s Apple ID and access their iCloud storage. Github says Apple has fixed the problem.
However, it is not clear whether this is the same, or the only security flaw that allowed hackers to scoop up the photos of Lawrence and 20 other Hollywood celebs.
As stated in our earlier post, some of the photos appear to have come from different devices and may have been accumulated over a long period of time.
CNET senior editor Dan Ackerman said “It may not be one person, it may be a group of people, and these may be photos that were put together over the course of months or years,“
Online posts on the websites 4chan and Reddit said photos of more than 100 celebrities were exposed when a hacker broke into their cloud-based storage though independent news agencies indicated that images of only 20 celebs in close and personal positions may have been leaked.
Photos of the “Hunger Games” star Jennifer Lawrence in various stages of undress appeared online, along with private photos of actress Mary Elizabeth Winstead, model Kate Upton, and others. A spokesperson for Lawrence told that the posts are “a flagrant violation of privacy” and said “the authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence.“
Winstead and Upton acknowledged that the stolen photos of them were real, while two other victims, singer Ariana Grande and Nickelodeon star Victoria Justice, said the photos posted of them were fakes.
In the other side Apple said Monday it is “actively investigating” whether a security breach at its iCloud service was responsible for the leak.
“We take user privacy very seriously and are actively investigating this report,” Apple spokeswoman Natalie Kerris told Recode.
The as-yet unknown attacker had one other thing going for him => Apple allows an unlimited number of password guesses. Normally, systems limit the number of times someone can try to log in to a system with an incorrect password before the account is locked down entirely. Apple has since fixed that aspect of the vulnerability.
“The attackers never should have been allowed to make an unlimited number of guesses,” Kindlund said.
“The attackers never should have been allowed to make an unlimited number of guesses,” Kindlund said.
And while there’s no direct evidence tying the Apple’s iCloud to the attack, the timing of the incident appears to coincide with a talk given by security researchers on the subject of security on iCloud.
The iBrute program was created by security researchers in Russia as a proof of concept and demonstrated as part of a talk at a security conference in St. Petersburg earlier this month.
