The iCloud Leak

iCloud logo

Photos in the cloud? This week you are lucky for not being a celebrity! Or maybe you are? Then, let’s hope your pics are not stored in iCloud.

Last Sunday Apple’s cloud service iCloud became a part of a scandalous leak of hundreds of nude pictures of Hollywood celebrities. The theory goes that the pictures were stolen from the celebrities’ iCloud accounts. Representatives of Apple claim that they had always taken user privacy very seriously. But can they prove it this time?

Although there are many hypotheses on the possible means of the leak, security experts are already pointing their fingers at two flaws in the Apple security. Those issues are related to the iCloud online storage application and the Find My iPhone API.

What has probably happened is the so called brute-force security attack, which is essentially a trial-and-error-way of breaking through security, and it usually only works if there is a weakness in the security of a system that allows an unlimited number of login attempts.

Usually, when you log in to a system of such type, it protects you from hacker attacks by locking up the system or the account, if an incorrect password is entered a certain number of times. However, after the leak it was established that the Find My iPhone app does not have such limitations. Apple, on the other hand, fixed this vulnerability in an instant. A little too late maybe.

What may be the initial cause of the attack is the posting of the so called iBrute 36 hours before the celebrities’ photos leaked online. iBrute was released in order to point out to Apple some of its security issues. It seems that someone might have benefited from the iBrute system to hack a large number of private accounts.

According to experts, the iCloud security has two potential weak spots.

First, the Find My iPhone app does not have the required level of password protection or user alerts. And second, the user’s iCloud security code, which is separate from the user’s iCloud password. The code defaults to just four digits and may also be vulnerable to a force attack.

Even if all this is true, how could so many accounts be hacked? A leading theory is that there were a handful of accounts that were used to find contact details, including email addresses, for the others. With those IDs in hand, the hackers simply continued to apply the force attack until they had access to other accounts’ iCloud data.

Of course, a completely different source may be the one, which have caused the leak. Or it may simply be an advertising trick. As you know, there is no such thing as negative advertising. But just in case you are still unaware of the iCloud security, we would recommend other online storage services. So, read our blog and stay tuned.