Apple denies iCloud security flaw to blame for celebrity photo hack
WATCH ABOVE: Apple denies iCloud security issues are to blame for leak of celebrity photos. Catherine McDonald reports.
TORONTO – Apple on Tuesday denied reports that the leak of nude celebrity photos over the weekend stemmed from a security flaw in its iCloud services.
“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet,” read a statement issued Tuesday afternoon.
“None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.”
Some of the world’s biggest celebrities began cursing the technology after hundreds of nude photos were leaked online.
Nude photos of a-listers, including Jennifer Lawrence, Kirsten Dunst and Kate Upton, were posted to the image sharing forum 4chan Sunday by anonymous users and were quickly spread on social media sites.
Many reports pointed towards an alleged security bug in Apple’s iCloud services as the entry point for hackers.
The bug, now known as “iBrute,” reportedly allowed attackers to access a user’s iCloud account using a “brute force” attack thanks to an alleged vulnerability in Apple’s Find My iPhone service, according to TheNextWeb.
The bug was published on social coding site Github on Saturday.
Normally, online services protect users by temporarily locking an account after a certain number of failed login attempts. However, a brute force attack allows hackers to use a malicious script to bypass that password-attempt limit to repeatedly guess passwords – usually in high volumes – to eventually gain access.
Since Find My iPhone is part of a series of services connected to iCloud – including Photo Stream and Apple’s password manager, iCloud Keychain – if attackers guessed the right password they would have been able to access the user’s iCloud storage.
Apple began investigating the incident on Monday.
According to HackApp, the anonymous coder who claims to have discovered the hack, the bug was patched late Monday. TheNextWeb also tested the bug and confirmed it was locked out after five incorrect password attempts.
“We are continuing to work with law enforcement to help identify the criminals involved,” read Apple’s statement.
The company is encouraging users to enable two-step verification and practice using strong passwords to protect against this type of attack.
Users can turn on two-step authentication for their Apple ID here.
Apple requires user passwords to be eight characters long and include an uppercase letter, a lowercase letter and a number.
Chris Parsons, post-doctoral fellow with the Citizen Lab at the Munk School of Global Affairs and cyber security expert, suggests that users create super long passwords to help ward off potential brute force attacks.
“A long password doesn’t have to be made up of upper and lowercase letter, dashes and other stuff you won’t remember. A series of phrases even works,” said Parsons, who suggested using a sentence for a longer password.
Apple also has an overview of the security measures used to protect data stored on its iCloud servers on its website. According to Apple, iCloud data is encrypted both on its severs and when it is “in transit” – when the data is being sent from your device to the server.
” iCloud uses a minimum of 128-bit AES encryption—the same level of security employed by major financial institutions—and never provides encryption keys to any third parties,” reads the website.
© Shaw Media, 2014