Targeted attack behind iCloud nude photo leak: Apple

The hackers that leaked dozens of nude photographs of various celebrities gained access to their victims’ iCloud accounts through a targeted phishing attack, not any flaw in iCloud security, according to Apple.

A 40-hour investigation by Apple engineers has determined that “certain celebrity accounts were compromised by a very targeted attack on usernames, passwords and security questions”, Apple said in a statement.

The leak of the images has garnered international media attention, along with speculation that the attackers gained access through a breach in iCloud security protocols.

But Apple said none of the cases it has investigated “resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone”. The company is working with law-enforcement officials to track down the perpetrators.

Apple was responding to various reports speculating that the hackers may have gained access to the celebrities’ iCloud accounts by exploiting a vulnerability in iCloud itself or Apple’s Find My iPhone service.

In one such example, a PythonScript uploaded to GitHub allegedly allowed users to obtain AppleID passwords via a brute force attack. The readme asserted that Apple had not implemented brute force protection at the time the script was written.

According to TheNextWeb, if the claim is true, Apple has since patched the vulnerability, as the script now triggers an account lockdown.

While Apple’s statement is confirmation that some of the pilfered images came from compromised iCloud accounts, others are proven fakes, and it’s not clear whether all the legitimate images came from Apple users.

BusinessInsider’s James Cook has speculated there could be other ways the photos have emerged. These include efforts by insiders such as personal assistants seeking to cash in on the images, a stolen laptop or phone from a high-profile celebrity and being skimmed while the celebrities’ devices were connected to unencrypted Wi-Fi networks during the Emmy awards.

Ciphertrust chief trust officer Bob West said regardless of the method or methods involved, the photo leaks “highlight the need for basic measures people can take if they are sending or storing sensitive content in cloud applications”.

He said that while large cloud providers have thorough network security tools, users shoulder the responsibility for securing the content stored in the cloud.

Charles Sturt University IT security expert Dr Tanveer Zia said the breach proves that internet users must assume that any pictures taken by an internet-connected device are public.

“When we post information online, we lose some control of it,” Zia said. “In today’s interconnected world, a photograph taken through a smart device may be automatically posted on a social network [or cloud server] if a user has activated this. In the wake of this latest incident, users should consider not taking any photos which they would not want publicly seen.”

He added that the incident reinforces the need for wider use of two-factor authentication in online services.

In a blog post, FireLayers head of security engineering Boris Gorin said the breach should also serve as a wake-up call to enterprise users of cloud services.

“Most users of cloud-based services wrongly assume that the service provider, in this case Apple, is responsible for managing the data, access and usage of their service. This just isn’t the case,” he said.

“Cloud application security is a corporate problem. Understanding that your business shares responsibility in securing cloud application usage and data - as well as closing related compliance gaps - is the cornerstone of a cloud application governance strategy.”

Image courtesy of Pro Juventute under CC