Apple patches 'Find My iPhone' exploit

Apple has patched an exploit with its Find My iPhone online service that may have been used by hackers to gain access to personal photos stored on iCloud accounts belonging to some 100 celebrities.
Written by Adrian Kingsley-Hughes, Senior Contributing Editor

Apple has patched an exploit with its Find My iPhone online service that may have been leveraged by hackers to get access to the recent wave of leaked celebrity photos.

Over the past 12 hours the web has been awash with private (and some very personal) photos belonging to celebrities, with Anonymous 4chan users claiming to have grabbed images from some 100 compromised celebrity iCloud accounts, which allegedly include Jennifer Lawrence, Ariana Grande, Victoria Justice, Kate Upton, Kim Kardashian, Rihanna, Kirsten Dunst and Selena Gomez. 

Coincidentally, a day before the photo leak, code for an AppleID password bruteforce proof-of-concept was uploaded to the code-hosting site GitHub.

The code exploited a vulnerability with the Find My iPhone sign in page that allowed hackers to flood the site with password attempts without being locked out. By employing bruteforcing techniques, hackers could use this to guess the password used to protect the account.

Hackers using this tool would need to know the username for the account in order to attack it, but an email address is hardly a secret given that any time it is used it is made public.

It does however beg the question as to how a hacker could harvest so many celebrity AppleIDs. To me this seems harder than the password bruteforcing part.

Apple has now patched the exploit, and attempts to gain bruteforce access to accounts are met with a lockout.

Whether the two incidences are linked is at present unknown, but the timing of the release of the code and the hack certainly suggests a link. If there is a link, then this will be a pretty high profile black eye for Apple, doubly-so given the proximity to the official unveiling of the iPhone 6.

Also, while personal photographs seem to be at the heart of this leak, hacked iCloud accounts could be a treasure trove of other information, ranging from emails and contacts to calendar schedules.

See also:

Editorial standards