Online Applications

Custom Search

Monday, 1 September 2014

This 'Find My iPhone' exploit could be to blame for celebrity photo hacks


This 'Find My iPhone' exploit could be to blame for celebrity photo hacks


​We don’t need to rake over the gory details here, but in the last 12 hours, the internet has lost its “you know what” over some leaked celebrity photos. Initial reports suggested that hackers targeted the iCloud accounts of the high-profile victims, and held eager would-be-viewers to ransom on notorious bulletin-board 4chan, demanding Bitcoin in exchange for a peek of the images (reportedly earning a princely $95 for their troubles). As yet though, no one has been able to confirm how the images actually leaked, but some keen programmers think they may have spotted at least one (now fixed) route into accounts.


The potential exploit relates to a project on the code hosting site Github called, imaginatively, ibrute. Just a day before the images leaked, the developers of ibrute announced a bug in the Find My iPhone service means it doesn’t employ bruteforce protection (i.e. an attack can continue using different passwords until the right one if found). The implication is that this could give access to AppleIDs, and from there any number of avenues to compromise accounts become significantly more viable. It’s certainly not the first intrusion issue with the service we’ve seen. If this was the tool used, the hackers would have needed email addresses of celebrities. But, it’s possible that only one address is needed, allowing to search inboxes for those of others in a domino effect.




#hackapp @DefconRussia AppleID bruteforce tool via FindMyIphone bug. Doesn’t lock AppleID. https://t.co/9dG3EjtrLS


– HackApp (@hackappcom) August 30, 2014




Apple iCloud brute-forcer: https://t.co/KPMflz80W4 – apparently FindMyPhone doesn’t have brute force protection… related to celeb hacks?


– Ross (@Hypn) September 1, 2014



The good (and either timely, or coincidental) news is, that the same developers have just confirmed this exploit has been patched. For now, however, the code lives on, just now marked as a “proof of concept.” We’ve reached out to Apple for comment, but until there’s any official word either way, this is one feasible possibility. There are of course a number of other possible routes into user accounts (not least the good old fashioned abuse of trust of a close colleague or friend, or romantic interest). What’s unusual here, is the apparent scale of the issue, with numerous celebrities suffering leaks all at the same time.




The end of fun, Apple have just patched FindMyIphone bug. So ibrute is not applicable any more.


– HackApp (@hackappcom) September 1, 2014



At the time of writing, Reddit was clamping down on people naming the alleged leakers, and picture hosting site Imgur is pulling any uploads of the images as best it can, 4chan also displayed rare twitchiness, and pulled the original thread. Likewise, with Twitter reportedly suspending accounts that share the images, you might want to think twice before you RT — it’s fair to say, the internet is officially in a spin.


Matt Brian contributed to this report.



 Hide Comments 0Comments











This article is automatically posted by WP-AutoPost : WordPress AutoBlog plugin
Article Source Settings, WP-AutoPost



This 'Find My iPhone' exploit could be to blame for celebrity photo hacks

No comments:

Post a Comment

Blog Archive