Apple patches 'Find My iPhone' exploit

Summary:Apple has patched an exploit with its Find My iPhone online service that may have been used by hackers to gain access to personal photos stored on iCloud accounts belonging to some 100 celebrities.

Apple has patched an exploit with its Find My iPhone online service that may have been leveraged by hackers to get access to the recent wave of leaked celebrity photos.

Over the past 12 hours the web has been awash with private (and some very personal) photos belonging to celebrities, with Anonymous 4chan users claiming to have grabbed images from some 100 compromised celebrity iCloud accounts, which allegedly include Jennifer Lawrence, Ariana Grande, Victoria Justice, Kate Upton, Kim Kardashian, Rihanna, Kirsten Dunst and Selena Gomez. 

Coincidentally, a day before the photo leak, code for an AppleID password bruteforce proof-of-concept was uploaded to the code-hosting site GitHub.

The code exploited a vulnerability with the Find My iPhone sign in page that allowed hackers to flood the site with password attempts without being locked out. By employing bruteforcing techniques, hackers could use this to guess the password used to protect the account.

Hackers using this tool would need to know the username for the account in order to attack it, but an email address is hardly a secret given that any time it is used it is made public.

It does however beg the question as to how a hacker could harvest so many celebrity AppleIDs. To me this seems harder than the password bruteforcing part.

Apple has now patched the exploit, and attempts to gain bruteforce access to accounts are met with a lockout.

Whether the two incidences are linked is at present unknown, but the timing of the release of the code and the hack certainly suggests a link. If there is a link, then this will be a pretty high profile black eye for Apple, doubly-so given the proximity to the official unveiling of the iPhone 6.

Also, while personal photographs seem to be at the heart of this leak, hacked iCloud accounts could be a treasure trove of other information, ranging from emails and contacts to calendar schedules.

See also:

Topics: Mobility, Apple, Security

About

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.Adrian has authored/co-authored technic... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.