iCloud Hack Exposed: Apple Blocks Password Breach Amid Celebrity Photo Scandal [Updated: Apple Responds]

iCloud Hack Exposed: Apple Blocks Password Breach Amid Celebrity Photo Scandal [Updated: Apple Responds]

For those who spent the recent US holiday weekend disconnected from news outlets, congratulations on your digital detox. For others, you might have encountered widespread reports of a significant leak of explicit celebrity photos on 4chan, featuring stars like Jennifer Lawrence and Kate Upton. The individual distributing these images allegedly sought Bitcoin donations in exchange for access. While some celebrities have dismissed the photos as fabrications, others have confirmed their authenticity.

Update 9/2: Apple has issued a statement clarifying that their investigation has not found any breach of their systems.

iCloud Hack Exposed: Apple Blocks Password Breach Amid Celebrity Photo Scandal [Updated: Apple Responds]

Instead, the affected accounts were compromised through more traditional means such as answering security questions or username and password resets.

Update 2:35 pm ET: Charles Arthur, a technology journalist at The Guardian, provides an analysis of the situation, suggesting that the images may have been collected over a long period and that the repository was eventually compromised. iCloud remains a focal point of this investigation.

Update 6:50 pm ET: According to Re/code’s latest update, Apple spokesperson Natalie Kerris emphasized the company’s commitment to user privacy and ongoing investigations into the matter.

Initial reports suggested that an iCloud vulnerability was exploited to access these accounts, although this has not been definitively proven. Security experts are also considering other services like Dropbox as potential sources of the leak.

Over the weekend, a tool known as “ibrute” was highlighted by Engadget, which exploited a lack of brute-force protection in Apple’s Find My iPhone feature. This tool attempted to guess passwords from a list of common passwords until it succeeded, without being locked out.

Apple has since patched this vulnerability.

The method was straightforward: ibrute would cycle through a list of the 500 most common passwords, as revealed by the RockYou hack, against a target iCloud account ID. The Find My iPhone API previously did not limit the number of attempts, allowing unlimited password attempts without triggering security measures. Now, Apple has implemented a lockout mechanism after five unsuccessful attempts.

A commenter on The Next Web highlighted that possessing an iCloud password does not automatically grant access to iCloud’s Photo Stream without logging in through an authorized device, which should notify the account owner. However, if the intruder has access to the victim’s email, they could potentially intercept and delete this notification.

Share This Article
Sang

Wei is a dedicated writer for TUAW, bringing readers the latest insights and updates on all things Apple. With a keen eye for detail and a love for technology, Wei covers everything from the newest iPhone releases to the latest macOS updates. His articles are a go-to source for Apple enthusiasts who want to stay informed about their favorite gadgets, including the iPad, Apple Watch, and MacBook. Wei’s clear and engaging writing style makes complex tech topics accessible to everyone.