Thursday 25 September 2014

Apple Aware of iCloud Security Flaw Months Before Celebrity Nudes Leaked

A security researcher informed Apple about the security flaw in its iCloud service months before explicit images of celebrities were leaked. 



Back in March 2014, Ibrahim Balic, a London-based software developer, sent Apple a series of emails which outlined how attackers could use what is known as a "brute force attack" against Apple's iCloud service to gain access to user accounts.

The same flaw was blamed for the leak of hundreds of celebrity images in August 2014, which saw hackers collect huge troves of explicit images from the iCloud accounts of celebrities such as Kim Kardashian, Jennifer Lawrence, Kate Upton, and Hayden Panettiere.

While the first batch of images was leaked in August, with a second batch being on 21 September, the hackers who collected them would have been working for months to create the huge trove of stolen images and videos.

Brute force

According to Balic's emails, obtained by the Daily Dot website, Balic emailed Apple on 26 March to tell them he had successfully by-passed a security measure which was designed to prevent hackers from using brute force attacks.

Brute force attacks see hackers use long lists of the most common passwords in rapid succession to try access accounts.

Normally, online services prevent this type of attack by limiting the number of unsuccessful login attempts a user can make, but Balic seems to have found a way of circumventing this measure.

Last month a script was briefly posted on GitHub which automated this action, before being removed from the code-sharing website.

As well as reporting the vulnerability via email to Apple, Balic also says he used the company's online bug submission platform.

Targeted attacks

Apple did respond to the Balic's emails, but a message dated 6 May from an Apple engineer seeking more information suggested the flaw had still not been fixed.

Apple did eventually fix the vulnerability but only after it was blamed for the high-profile leaks of explicit images of celebrities.

Apple however claimed this flaw was not to blame for the celebrity attacks, but the leaks came about after "certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions" adding that "none of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone."

Apple faced a lot of criticism of its security policies in the wake of the scandal and quickly moved to implement more stringent security settings on its iCloud service including two-factor authentication.

0 comments:

Post a Comment