A plethora of reports are swirling around the internet that countless private celebrity photos have leaked (no, we’re not going to link you), and—what are as of right now baseless—rumors claim that someone found a vulnerability in Apple’s iCloud platform and exploited it to obtain the images. Of the celebrities reportedly involved are Jennifer Lawrence, Kate Upton, Avril Livigne, Mary Elizabeth Winstead, Mary Kate Olsen, Hillary Duff, and many others.
News of the leaked images first started spreading on a 4chan /b/ thread earlier today, where many users have made claims that the leaks are due to at least one person maliciously exploiting iCloud and various celebrities’ cell phones. Reports on 4chan also claim that the hacker has acquired videos as well and intends to sell them to TMZ for as much as six figures. Of course, most of this information is from an anonymous 4chan board, so take it with a heaping pile of salt.
But the fact remains that these private photos are definitely making the rounds, and many celebrities have taken to Twitter to seemingly confirm that at least some of them are indeed real. Most notably, Mary Winstead says she can only imagine the “creepy effort” that went into the leaks.
Photo Stream automatically syncs photos to iCloud as they’re taken, but it’s not yet known how the hacker—if they did indeed manage to hack iCloud—got ahold of so many different celebrities’ photos across so many accounts. Mary Winstead mentions that the leaked photos of hers were deleted “long ago,” which raises even more questions including whether or not a deleted iCloud photo is ever truly deleted. But that, of course, assumes that iCloud is the problem here.
As many have noted intending to prove that iCloud isn’t the source of these nudes, videos don’t work with My Photo Stream. You can, as of iOS 7, upload them to shared streams (and therefore iCloud) and, perhaps more importantly, iCloud will also upload them to the cloud when performing a full device backup. Having access to an iCloud account would mean that a hacker could effectively restore the account to a wiped phone.
Some celebrities have reported that they don’t even use an iPhone, which leads most to believe that the hacker got these files from multiple sources (which is probably likely anyway) or that some other cloud service could be the real culprit. Perhaps more interesting, however, is that some celebrities, namely Trisha Hershberger, have proven that their nudes are actually fake and, coincidentally, they don’t use an iPhone.
We’ve reached out to Apple for comment on the situation. In the meantime, now is a good time to remind you to turn on two-factor authentication on your iCloud account.
It’s still speculation at this point that iCloud is involved at all, but a vulnerability found in Find My iPhone could have permitted hackers to brute-force their way into accounts by guessing a huge number of passwords that fall in line with Apple’s criteria. In order for this method of attack to work, the accounts of the celebrities in question would have to have relatively weak passwords. But as many celebrities know each other and would have other celebrities’ contacts in their address books, it’s possible that contacts data could be used to identify the account email addresses of others, effectively creating a “chain” of hacks.
The program, being called “iBrute” and exploiting a flaw now patched that let the program guess an unlimited number of passwords without being locked out, hasn’t been linked directly to any attack on iCloud. But said security flaw that it took advantage of came to light and was fixed on the same day of the leak of countless private celebrity photos, so the timing is definitely a little uncanny.
Update 2: Apple has issued a statement to Re/code saying that they’re “actively investigating” whether or not iCloud was actually involved in leaking the private images. “We take user privacy very seriously and are actively investigating this report,” Natalie Kerris, spokesperson for Apple, said.
Update 3: As pointed out by Mashable, the iBrute program was released just three days before the leak of the first celebrity photo, which may not have been enough time for this specific vulnerability to have been exploited to the extent needed to leak hundreds of celebrities’ nude photos. On August 30th, Andrey Belenko and Alexey Troshichev, security researchers with viaForensics and HackApp, respectively, gave an in-depth report (link to presentation slides) at Defcon Russia on the state of iCloud security, and iBrute was their proof of concept.
In the presentation, viaForensics actually outlines how Find My iPhone isn’t the only security flaw here. Supposedly, hackers may have been able to guess a user’s iCloud Security Code offline, which therefore not triggering a lock out mechanism similar to one that was missing from Find My iPhone.
In terms of how this applies to the issue at hand, the iBrute Find My iPhone flaw being patched this morning may have simply been a result of this security talk and had nothing to do with the leaked images.
Update 4: Actress Kirsten Dunst appears to credit iCloud for her photos being leaked.
[The FBI is] aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter. Any further comment would be inappropriate at this time.
Update 6: Apple has denied that iCloud was actually breached, and says that this was actually a “very targeted attack” on certain celebrities.