The Next Web is reporting that a vulnerability in the Find My Phone service may have allowed attackers to brute-force passwords in order to access the iCloud accounts of celebrities.

The vulnerability allegedly discovered in the Find my iPhone service appears to have allowed attackers to use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely.

A tool to exploit the weakness was uploaded to Github, where it remained for two days before being shared on Hacker News … 

Apple patched the service at 3.20am PT today. While it’s possible that the timing was coincidental, an iCloud exploit being posted online just two days before the photos appeared, and being patched shortly after the story broke, makes this seem unlikely. Apple has not yet responded to a request for comment.

It’s worth noting that the vulnerability did not allow access to iCloud passwords, it only permitted repeated guesses or an automated dictionary attack. In order for it to succeed, relatively weak passwords would need to have been used on the accounts accessed.

As a lot of celebrities know each other, it’s likely that once one account was compromised, contacts data could be used to identify the email addresses of other celebrities, doing the same thing with each account accessed.

While the tool only appeared on Github two days ago, its author or others may have had access to it for far longer, potentially explaining the reported publishing of photos deleted by their owners some considerable time ago.

As with any online service, it’s always advisable to use strong passwords and two-factor authentication.

Screengrab courtesy of @viniciuskmax

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

50 Responses to “Vulnerability in Find My Phone service and weak passwords may explain alleged celebrity photo leaks”

  1. myforwik says:

    This is pretty dissapointing from apple. I wonder if its always been like this, or its something that regressed. You would think they would employ attackers/hackers who try this sort of thing. A service with no login limit is child level stuff… how did it get on find my iphone, a system used by millions?

    Liked by 1 person

  2. standardpull says:

    It is more likely that these users were sharing their passwords with other service providers, and one of those other providers was compromised.

    There have been news reports over the past several months of hundreds of millions of accounts being compromised, from small mom-and-pop providers to major players. Hashed password files are freely available. Brute forcing these files is easy work.

    It is literally billions of times less efficient to brute force a single password over a network, where you have to do a request/response. The network protocols and wire-time are tremendous rate limiters even if one does nothing else to limit the guess rate. A network attempt every 50-250ms is a lot less efficient than a hundred million attempts a second.

    Liked by 2 people

    • studiotott says:

      Still doesn’t feel very secure! If someone really want’s to get to you, he can.


      • standardpull says:

        Here are some tips if you are concerned about security: (1) never reuse passwords (2) change your passwords frequently (3) never share passwords (4) use strong passwords (5) never store highly sensitive files online (6) monitor your accounts (7) use multi-factor (8) minimize the number of services you use (9) don’t trust any third-part services to do anything (10) keep your software up to date (11) understand 3rd party privacy practices, statements, and agreements (they are never in your favor) (12) Use strong encryption everywhere (13) check that strong encryption is in use whenever you are entering data into a web site (14) assume that all on-line data is unencrypted and public (15) never trust anyone else’s device or network.

        These are the basics. Those that are well known public entities (politicians, executives, celebrities) need to be doubly-diligent. Sadly, they are often just as dumb as a typical teen.

        Liked by 2 people

      • macmaniman says:

        (16) stay offline


    • I wouldn’t be surprised; I have three different passwords – one for financial stuff, one for online forums and another for the stuff like my blog or email. Unfortunately though far too many choose passwords that are far too easy resulting in what has happened – and lets remember that Apple has offered two step verification yet many opt out of it – so whose fault is it? if Apple forced their end users to adopt two-step verification we would have another group whining about how their ‘freedom of choice’ was taken away. If you’ve got OS X if you use keychain and Safari you can choose super secure passwords with each website having their own password if you want but how many people are willing to actually use it?


  3. I think this is blah blah talk. I’m not a pro security guy but I think there’s more behind that and it’s not Apple fault.


    • Xanoxis says:

      Are you serious? Its Apples tool, it has security flaw, it was there entire time. Its Apples fault and nobody more…

      Liked by 2 people

      • nonyabiness says:

        Sorry, there’s no other way to say it- you’re wrong. You should always assume that anyone with enough time can crack your account. Therefore, building passwords of a sufficient length, approximately ~15 characters long with spaces, numbers, mixed case, and special characters is the only way to ensure that the user isn’t necessarily the weakest link in their computer security. This assumes the 15 rules in the above post are followed of course. Had the celebs built HALFWAY decent passwords, it would be close to impossible to brute force- even given decades of time to crack, regardless if a max password guess lockout was not implemented.

        Build a decent password.


      • gbcox says:

        Sorry, as mentioned in this article (as well as many other places) Apple had a flaw which exposed it to brute-force attacks – which means of course that even if you had a strong password, it could have been hacked. Password timeouts after multiple attempts is security 101 – and they missed it. That is just pitiful. Assigning blame to the victim is extremely lame… and Apple trying to cover this whole issue up by parsing words and running the whole thing through their spin machine is extremely offensive and speaks volumes about their character as a company. I recently also read that their two factor authentication doesn’t include all their services… it’s only a partial implementation – what’s up with that?


  4. iCloud.com doesn’t store photos. So the question is, how can a hacker get access to the photos on the phone if that’s where they came from? That’s saying, someone remotely gain access to an iPhone? I don’t believe that’s where the photos where taken.


  5. This might explain some things. Other alleged details don’t line up though. I’m waiting to see additional information. If it is an iCloud issue, Apple better double down on their security.


  6. There is alot of indicators pointing to this coming from an Dropbox exploit.


  7. Matthew Sims says:

    Once again this “hack” comes down to poor password management by the users. If this steers more people to use services such as LastPass or 1password then at least something positive can come of it.

    Liked by 1 person

    • Apple makes it devilishly hard to use a strong password. You have to type in your Apple password every time you install an app. On mobile devices with their limited keyboards, typing in a strong password is a huge pain. The design of touchscreen keyboards requires an awkward layout switch for even the most basic of password requirements such as having both letters and numbers in the password. Until very recently, Apple did not support two-step authentication for most services, and their implementation still lags everybody else’s in major ways (e.g. lack of offline generation of auth codes). For a company that prides itself on design and ease of use, their security architecture is stunningly lacking on both counts.


      • c1ce091b says:

        I have 1Password, and for my mobile devices, its a single step to copy a password from that application and then paste it into Apple’s password prompt, or any other service that requires a password. One extra step… thats it.


      • Matthew Sims says:

        If you have an iPhone5S (or in a fortnights time an iPhone6) you can use TouchID to authenticate for app installs, updates, iTunes purchases etc. If you use 1password/LastPass/intertpasswordmanagerhere then you can copy paste long complex passwords with just a few taps. Probably 90% of my passwords are so long and complex even I don’t know what they are without the password manager (which is encrypted and multi factor authentication protected).

        Apples mistake here is having poor brute force detection systems. the actual fault over weak passwords is purely down to the user.


      • huges84 says:

        I use LastPass and it will copy the password to the clipboard. Then just paste it in. I have a 20 random character password.


  8. You can find the leaked photos online. If you look at the EXIF information of the photo you’ll see that a lot if not the biggest part of the photos are made on Android devices. It is never the less possible to upload photos from your Android phone to an iCloud account using w.g. your Mac. I do not have proof of it but I think that it is more likely that the photos came from another cloud service such as Dropbox or Google Drive.

    Another possibility could be that the mobile devices where hacked when the celebrities where at an event, e.g. Emmy and used an unsecured or spoofed wireless access point.

    My question is, why would you store such private content on a cloud service, controlled by others vs. having your own controlled cloud service, e.g. Bittorrent Sync with a NAS in your own premisses comes to mind.

    Liked by 1 person

  9. tekenology says:

    Very interesting…


  10. Joshua Hale says:

    Why is it always Ben or Stephen that always posts this type of news? hmmm…


  11. Oh, so this was probably just a brute force attack? Thank goodness. I was freaking out. I had me some nudes that I didn’t want going on iCloud but didn’t realize “My Photo Stream” was on at the time. Fortunately, I don’t use bitch-ass passwords for important things like iCloud, lol.


  12. This sounds like it could be the work of Samsung trying to smear Apple. ;)


  13. Good for Blink182. Bad for Apple.


  14. 9to5Mac commenters logic = iCloud can’t be hacked so it must be the users fault for uploading private pictures. But wait, its actually Dropbox’s fault, because they can be hacked.


    • If you look at the leaked content, after being bored silly (it’s almost all crap), you may realize that it looks like it was collected of a long period of time and from different sources. This doesn’t look like an iCloud/iPhone/PhotoStream security breach at all based on the content.


  15. John Smith says:

    Just reading coverage of this on a professional IT security site.

    Their high tech advice for celebrities on avoiding this type of embarrassment ?

    … Don’t take nudie pics in the first place

    …. If you do, don’t upload them to cloud servers

    Sounds more effective than any amount of software patches by apple, 30 random character passwords, two factor ID etc


  16. TBolt says:

    On a brighter note – for some of these celebrities – we now have heard of them.

    I do hope this helps people finally learn that cloud storage is not the place to store critical data.


  17. Eric Estro says:

    this had not happened with Andrés Manuel López Obrador


  18. raptormissle says:

    Not surprised. After all, Apple security was always the Toxic Hellstew.


  19. cdmoore74 says:

    This morning in Cupertino…..

    Tim – Phil, we can’t say a word about iCloud next week. Jennifer Lawrence is going to go hunger games on our asses. What do we do?

    Phil – Talk bad about Android fragmentation as we always do!

    Tim – You’re right! Android distributions numbers are always a classless punchline during our keynotes.

    Phil – Lets have Craig do it. We can throw in a joke about his hair.

    Tim – Just make sure you don’t use iCloud when saving the keynote. We don’t want the public to know our plans. Oh wait, that’s how the iPhone 6 parts got leaked on the internet.


  20. no one would store their nudes in icloud anymore regardless of how much more secure Apple claims icloud is after they fix the bugs


  21. This is totally Apples fault and anyone saying otherwise is a fool. Just about every online service I use locks you out after 3 failed login attempts. This feature was missing.

    Without this lockout you can brute force hack any password of any length, given the time and resources. There are some that have stated you can attempt one user/password combo per 50-250ms, however they don’t take into account that you can have multiple login attempts concurrently brute force attacking the same account.

    Seriously, this is a huge fail by Apple. These strategies have been attempted to hack online gaming accounts for decades. With the failsafes in place said hackers now resort to misleading emails to lure unsuspecting gamers into divulging their personal information.

    I doubt it would have taken very long to hack these at all, and as stated by other users, once you hit one celebrity ‘pot of gold’ you just use their contact list to narrow down your scope of brute force attack. This alone would have allowed a concerted effort at ‘viable’ account, meaning that password of any length or complexity would have ultimately been compromised as all resources could be allocated into attacking that one account.

    So it is all good and well that a patch/bug fix has been implemented to address this, but leaving a security hole this big in your system from a company as big as Apple is a massive let down.

    Given that iCould is on by default and the security flaw is theirs, and not the users, I wouldn’t be surprised if you see a class action suit filed against Apple as a result of this.

    Liked by 1 person

  22. Tim Acheson says:

    This meaningless statement from Apple is clearly designed to plant seeds of doubt about Apple being at fault, by implying based on no evidence whatsoever that Apple platforms and devices may not be to blame. It is a transparent attempt to deflect blame and discussion of the issue away from iCloud, loyally reported by the corporate tech media without question.

    Indeed, the fact that Apple remains silent about the nature and scale of these breaches very strongly indicates that the corporation is at fault and knows it, because if if they could point the finger of blame elsewhere they obviously would not hesitate to do so — immediately and loudly.

    Apple should already know what caused this breach of iCloud security and unauthorised access to iCloud data. If they truly still do not know, that would indicate further negligence and/or incompetence.

    Liked by 2 people

  23. Wow this is completely an insane flaw. I am definitely not a hacker or even programming expert… But it would take me about 30 min, to create a script that would simultaneously try, username-password(for multiple users) combos all day long distributed on multiple machines. I would expand it way beyond the linked github script and try billions of passwords instead of 5000. I am sure I would get hundreds or even thousands of successful matches. Since people have the same password across multiple sites (many of the times), I would then cross reference gmail, facebook, twitter, and try to find these users corresponding usernames on other email/social/banking/etc. sites. I would then try the icloud password all of those sites and now have access to a persons social, political, financial and personal lives.

    This is just something I thought up in a few moments. Imagine what kind of evil the hackers have thought up since they have been at it for the last year or two.! In addition, they were able to hack 50+ celebrity profiles, they no doubt have thousands of more people’s profiles hacked and standing by, or are already actively exploiting them.

    Lastly, this flaw is not only gaping, but it is SO easy to exploit. Any programmer with a elementary understanding of APIs and authentication would be able to implement this. If this flaw was known to many different people (which it probably was ), then you can be sure that many many people have used this and gained peoples passwords. So your not really dealing with one master hacker, but rather hundreds of hackers.