Apple patches 'Find My iPhone' exploit

Apple patches 'Find My iPhone' exploit

Summary: Apple has patched an exploit with its Find My iPhone online service that may have been used by hackers to gain access to personal photos stored on iCloud accounts belonging to some 100 celebrities.

SHARE:
TOPICS: Mobility, Apple, Security
54

Apple has patched an exploit with its Find My iPhone online service that may have been leveraged by hackers to get access to the recent wave of leaked celebrity photos.

Over the past 12 hours the web has been awash with private (and some very personal) photos belonging to celebrities, with Anonymous 4chan users claiming to have grabbed images from some 100 compromised celebrity iCloud accounts, which allegedly include Jennifer Lawrence, Ariana Grande, Victoria Justice, Kate Upton, Kim Kardashian, Rihanna, Kirsten Dunst and Selena Gomez. 

Coincidentally, a day before the photo leak, code for an AppleID password bruteforce proof-of-concept was uploaded to the code-hosting site GitHub.

The code exploited a vulnerability with the Find My iPhone sign in page that allowed hackers to flood the site with password attempts without being locked out. By employing bruteforcing techniques, hackers could use this to guess the password used to protect the account.

Hackers using this tool would need to know the username for the account in order to attack it, but an email address is hardly a secret given that any time it is used it is made public.

It does however beg the question as to how a hacker could harvest so many celebrity AppleIDs. To me this seems harder than the password bruteforcing part.

Apple has now patched the exploit, and attempts to gain bruteforce access to accounts are met with a lockout.

Whether the two incidences are linked is at present unknown, but the timing of the release of the code and the hack certainly suggests a link. If there is a link, then this will be a pretty high profile black eye for Apple, doubly-so given the proximity to the official unveiling of the iPhone 6.

Also, while personal photographs seem to be at the heart of this leak, hacked iCloud accounts could be a treasure trove of other information, ranging from emails and contacts to calendar schedules.

See also:

Topics: Mobility, Apple, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

54 comments
Log in or register to join the discussion
  • Superb Security

    2014 and Apple did not have a lockout policy on a login page, what could go wrong? ;-).
    juanitotanan
    • Apple security is useless

      Seems now that the celebrity photos came from iCloud.

      Apple's and IOs security fails every two or three months.

      Seems we have another example now. For every hole Apple patches more to creep up on it.

      And there are this that consider Apple secure. It's laughable.
      Uralbas
      • Fanboys live in the reality distortion field...

        Just read some of the comments, they're either generically blaming the "cloud" or some even claim it was Android's fault. So, Apple has no reason to get their act together, all they have to do is blame someone else and their legions of cultists will buy it hook, line and sinker...
        siskol
        • Are you stupid?

          It was all Apple. Apple admits that there was a breach of their security and that's how it got out. They swear it wasn't the icloud even though the celebrities all said the photos were in the icloud. So who the fuck is blaming android? Apple has every reason to get their act together.
          werewookiee
      • Shall we wait tip we know some facts.

        At the moment you're building castles in rumours.

        There are a few things we know for sure.

        1) Celebs live by publicity and have a natural instinct for finding ways to maximise that publicity.

        2) Apple's competitors hate them, because Apple make most of the money, and always manage to kick up some bad publicity before major Apple events. Remember RIM paying rent-a-crowd to protest outside Apple stores, and yes, RIM admitted to this.

        3) If celebs iCloud login's were protected by standard brute force lockouts, the celebs would NEVER be able to get into their own accounts because of all the fans casually trying to break in.

        4) People are remarkably stupid when it comes to picking passwords. The dogs name. The boyfriends name... Celebs aren't generally picked for brains. But their personal details are splattered everywhere.
        Henry 3 Dogg
        • Have you ever dealt with security ?

          1) they don't need to have ALL (not only pics but also their contacts, emails, documents ...) stolen to do that. You believe they're stupid (your take) but are they masochists ?
          2) what's the bridge with that ?
          3) Pure nonsense : lockouts are performed after several levels of additional counter measures and meant to block massive attempts (generally such actions are done with thousands of simultaneous requests, from various hosts). A fan trying manually to break a password will not result in lockout.
          4) It's publisher's responsibility to set the acceptable security level for password. At least for security conscious ones ...
          superfly_FR
        • I had not really considered item #3

          Thanks for the reminder...
          auogoke
    • when security isn't in your DNA ...

      standardization fails to apply. Army of sniper devs with poor control. We know the story.

      P.S: we should be aware we have no factual confirmation of iCloud's flaw and stand cautious about definitive statements. The above is thus conditional.
      superfly_FR
  • Windows Phone has the best saftey record.

    Time to switch folks...
    Owl:Net
    • Windows phone?

      Time to switch to windows phone? Right because security thru obscurity is always the long term solution @_@
      Jmholmes83
      • Apple fanboy mantra

        http://betanews.com/2014/04/07/the-apple-myth-why-security-through-obscurity-isnt-security/
        siskol
      • maybe

        To be fair in Windows phone's case...

        ... this is one example where security through obscurity COULD be a long term solution.

        It's never likely to become mainstream.
        Henry 3 Dogg
    • Re: Windows Phone has the best saftey record.....

      Good reason for that. Only a small percentage of consumers use Windows Phone.

      A whopping 2.69%

      Its laughable how you try Big a FAILED product up.
      5735guy
      • LOL fanboy...

        You could say the same about the mac. A whopping 5% world-wide. By your silly standard, an abysmal failure!!
        siskol
        • Re: LOL fanboy...

          At no point is Mac mentioned in this article.

          If you are spoiling for a fight I guarantee you will lose hands down.

          So I wouldn't bother unless you are looking to embarrass yourself.
          5735guy
          • Just your hilarious hypocrisy, fanboy...

            "If you are spoiling for a fight I guarantee you will lose hands down."

            LOL, you people are soooo detached from reality...
            siskol
          • @siskol BRING IT ON THEN !

            And keep it polite.
            5735guy
          • Bahahahaha...

            Go change your diaper.
            Owl:Net
          • I already brought it on...

            ...by showcasing your blatant hypocrisy. You had no answer to my point.
            siskol
    • Windows Phone doesn't have the best safety record

      BlackBerry does.

      Just to make sure the truth is kept on the record here.
      Mac_PC_FenceSitter