The vulnerability allegedly discovered in the Find my iPhone service appears to have allowed attackers to use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely.
Apple patched the service at 3.20am PT today. While it’s possible that the timing was coincidental, an iCloud exploit being posted online just two days before the photos appeared, and being patched shortly after the story broke, makes this seem unlikely. Apple has not yet responded to a request for comment.
It’s worth noting that the vulnerability did not allow access to iCloud passwords, it only permitted repeated guesses or an automated dictionary attack. In order for it to succeed, relatively weak passwords would need to have been used on the accounts accessed.
As a lot of celebrities know each other, it’s likely that once one account was compromised, contacts data could be used to identify the email addresses of other celebrities, doing the same thing with each account accessed.
While the tool only appeared on Github two days ago, its author or others may have had access to it for far longer, potentially explaining the reported publishing of photos deleted by their owners some considerable time ago.
As with any online service, it’s always advisable to use strong passwords and two-factor authentication.
Screengrab courtesy of @viniciuskmax