Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Mac News > Apple 'investigating' if leaked celebrity pics came from iCloud

Apple 'investigating' if leaked celebrity pics came from iCloud
Thread Tools
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Sep 1, 2014, 07:09 PM
 
Even as Apple on Monday issued a terse statement saying only that "we take user privacy very seriously and are actively investigating this report," concerning the leak of compromising images from 101 celebrities, the 4chan poster who released the compromising images and video has now admitted that the pictures come from a variety of sources. In the meantime, Apple has patched a potential security flaw that could have allowed attackers to brute-force their way into obtaining weak iCloud passwords.

Some of the celebrities pictured shot their "selfies" using non-Apple smartphones, further diluting the claim that iCloud played much -- if any -- role in the leaks, reports AppleInsider. There is a long history of image leaks that were claimed to be result of "hacks," but were later found to be the work of more conventional data-stealing techniques such as easily-guessable passwords or social-engineering trickware that revealed the credentials.

That the leaked images were all of female celebrities and from a small pool of said persons would further suggest that no mass-leak of individuals' private photos or other data has actually occurred, and that the new files are more likely the result of other methods targeted at a specific pool of celebrities. A number of the photos seem more likely to have been acquired from services that claim to delete sent images after a short period, but can often be captured anyway, such as Snapchat.

While Apple's iCloud service may or may not have any role in the capture of the private images, the publicity of the case has unearthed a possible vector of attack that Apple has since fixed. Prior to last night, it was possible for hackers to use "brute-force" guessing techniques to uncover the Apple ID and password of specific targets, particularly if said targets had "weak" passwords.

While some have speculated that this could have been a source for at least some of the images released, there is as of yet no evidence of the brute-force method having been successfully used. Apple should be able to determine if that technique was used through records of login attempts on the accounts of any of the celebrities, at least some of whom do use iPhones and iCloud.

Further undermining the claims of iCloud involvement, however, is the fact that iCloud content is stored in an encrypted format, specifically to guard against unauthorized individuals obtaining access to Apple's servers. In addition, the company uses a minimum of 128-bit AES encrypting for the data even while it is in transit, making the content encrypted from end-to-end.

Apple has also been requiring the use of "stronger" passwords with iCloud and iTunes accounts for some time. Though this does not entirely rule out the possibility that some of the victims of the attack still relied on "weak" passwords and thus had their accounts compromised, it does essentially eliminate the possibility of a hack of Apple's iCloud servers as a method to obtain the data.
     
Mac Enthusiast
Join Date: Nov 1999
Location: Bensalem, PA
Status: Offline
Reply With Quote
Sep 1, 2014, 08:17 PM
 
I'm going to guess that this is going to come down to weak passwords.

Either way, I expect a lot of celebs to be buying Android phones when their contract is up.
Andy Pastuszak
amp68(spammenot)-at-verizon.net
     
Mac Elite
Join Date: Aug 2001
Location: Maitland, FL
Status: Offline
Reply With Quote
Sep 1, 2014, 08:53 PM
 
Except that -- as the article states -- some of the leaked photos clearly come from Android users. As Android is the leading mobile platform for malware anymore (now that Symbian is dead), that would be THE LAST platform one should consider if one is in the habit of taking nude selfies.
Charles Martin
MacNN Editor
     
Managing Editor
Join Date: Jul 2012
Status: Offline
Reply With Quote
Sep 2, 2014, 08:32 AM
 
There are current discussion online that these pics are the tip of the iceberg from a celeb pic ring in the "darknet", where the only way to get in is to provide a unique picture that nobody else has.

This explains a great deal, but we'll see what's true this week, I expect.
     
Grizzled Veteran
Join Date: Jul 2006
Location: Seattle
Status: Offline
Reply With Quote
Sep 2, 2014, 09:17 AM
 
Why the silly scare quote around "investigating" in the headline? Does 'MacNN' really 'think' Apple 'might' only be 'pretending' to be 'investigating' this 'matter.' Scare 'quotes' like 'that' one 'are' silly.
Author of Untangling Tolkien and Chesterton on War and Peace
     
Managing Editor
Join Date: Jul 2012
Status: Offline
Reply With Quote
Sep 2, 2014, 10:20 AM
 
Not a scare quote - an actual quote.

"Apple is investigating"

Seriously. That's what we were told. Just as simple as that. Over-reacting to quotation marks is silly too!
     
Senior User
Join Date: Jan 2008
Status: Offline
Reply With Quote
Sep 2, 2014, 10:43 AM
 
I'm more amazed how this all got associated with iCloud with little to no evidence of the such. To say someone "hacked" a celebrity's smartphone could mean many possibilities...nothing short of watching them enter their password, for example. And some have already been identified as Android users!

No, the conspiracy theorist in me chalks this up to Google, or better yet, Samsung tactics prior to a major event by Apple...an attempt to deflate what undoubtedly will be a highly successful launch of new Apple devices that can neither be matched in product or hype by anything Samsung has to offer.
     
Grizzled Veteran
Join Date: Jun 2008
Status: Offline
Reply With Quote
Sep 2, 2014, 11:04 AM
 
It sounds like Apple did have something of a security "issue" with regard to their iCloud service. Some reports say that Apple had little-to-no protections against brute-force attacks for some iCloud services, allowing a hacker to create a script that simply tries different passwords as quickly as the iCloud servers would respond without ever tarpitting (slowing down the requests) or banning (blocking the IP temporarily) due to X number of failed attempts.

If true, that's kind of "Web Security 101" material -- there isn't (or shouldn't be) an IT professional in the world worth a hill of beans that would put an internet-facing server online without some kind of protection against brute-force attacks like this. Anyone responsible for this type of thing knows that when you bring a, say, new web server online and it has a public IP address, that the attacks from China and Russia and the world begin within hours -- lots of log entries about automated computers trying different SSH passwords, or looking for SQL servers or phpMyAdmin servers or what-not. It's fairly easy to protect against, and should be done by default to any server with a public internet IP address.

If those reports aren't true, though, then this seems to simply be a case of people either having picked poor/weak passwords, or falling victim to social engineering hacks, like phishing -- neither of which Apple can do much about, other than require strong passwords ("password must contain an uppercase and lowercase letter, a number, a symbol, must be 10 digits in length, cannot be the same as any previous password, etc.") or implement more burdensome multi-factor authentication schemes.
     
Managing Editor
Join Date: Jul 2012
Status: Offline
Reply With Quote
Sep 2, 2014, 11:28 AM
 
There was an issue, and most venues were quick to jump on it as the ├╝berhack that caused the whole thing. We don't think it is, and we've said so. There are just too many other devices, things, etc in the pictures!
     
Grizzled Veteran
Join Date: Jun 2008
Status: Offline
Reply With Quote
Sep 2, 2014, 11:47 AM
 
Well, it is completely possible that the iCloud security issue described above allowed access to iCloud photos for some of the celebs who used Apple devices, while a different attack vector was used to get the photos from non-Apple devices, yes?

In other words, there might be more than one "uberhack" out there -- one for each platform?
     
Managing Editor
Join Date: Jul 2012
Status: Offline
Reply With Quote
Sep 2, 2014, 11:53 AM
 
Sure, its possible that the hack was used in the three days it was available to glean pics.

Its just not the omnisolution. Weak passwords, lack of user knowledge, and social engineering seem way more likely to me. As with all this stuff, we'll all find out together.
     
Senior User
Join Date: Dec 2007
Location: Too F'ing Cold, USA
Status: Offline
Reply With Quote
Sep 2, 2014, 12:10 PM
 
Originally Posted by pastusza View Post
I'm going to guess that this is going to come down to weak passwords.

Either way, I expect a lot of celebs to be buying Android phones when their contract is up.
My understanding is that yes, it was most likely a weak password issue for the iCloud breakins. The python script utilized an iCloud API that does not lock the account after 5 failed attempts, so a brute force attack could be effective.

Apple 'Actively Investigating' Possible Hacking of Celebrity iCloud Accounts - Mac Rumors
     
Managing Editor
Join Date: Jul 2012
Status: Offline
Reply With Quote
Sep 2, 2014, 12:49 PM
 
Or, you know, our article on this, since this is all on the home page.

Python script attacking Find My iPhone may be behind celebrity leaks | Electronista
     
   
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Top
Privacy Policy
All times are GMT -4. The time now is 09:39 PM.
All contents of these forums © 1995-2015 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2015, Jelsoft Enterprises Ltd., Content Relevant URLs by vBSEO 3.3.2