Skip to main content

Vulnerability in Find My Phone service and weak passwords may explain alleged celebrity photo leaks

The Next Web is reporting that a vulnerability in the Find My Phone service may have allowed attackers to brute-force passwords in order to access the iCloud accounts of celebrities.

The vulnerability allegedly discovered in the Find my iPhone service appears to have allowed attackers to use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely.

A tool to exploit the weakness was uploaded to Github, where it remained for two days before being shared on Hacker News … 

Apple patched the service at 3.20am PT today. While it’s possible that the timing was coincidental, an iCloud exploit being posted online just two days before the photos appeared, and being patched shortly after the story broke, makes this seem unlikely. Apple has not yet responded to a request for comment.

It’s worth noting that the vulnerability did not allow access to iCloud passwords, it only permitted repeated guesses or an automated dictionary attack. In order for it to succeed, relatively weak passwords would need to have been used on the accounts accessed.

As a lot of celebrities know each other, it’s likely that once one account was compromised, contacts data could be used to identify the email addresses of other celebrities, doing the same thing with each account accessed.

While the tool only appeared on Github two days ago, its author or others may have had access to it for far longer, potentially explaining the reported publishing of photos deleted by their owners some considerable time ago.

As with any online service, it’s always advisable to use strong passwords and two-factor authentication.

Screengrab courtesy of @viniciuskmax

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. myforwik - 10 years ago

    This is pretty dissapointing from apple. I wonder if its always been like this, or its something that regressed. You would think they would employ attackers/hackers who try this sort of thing. A service with no login limit is child level stuff… how did it get on find my iphone, a system used by millions?

  2. standardpull - 10 years ago

    It is more likely that these users were sharing their passwords with other service providers, and one of those other providers was compromised.

    There have been news reports over the past several months of hundreds of millions of accounts being compromised, from small mom-and-pop providers to major players. Hashed password files are freely available. Brute forcing these files is easy work.

    It is literally billions of times less efficient to brute force a single password over a network, where you have to do a request/response. The network protocols and wire-time are tremendous rate limiters even if one does nothing else to limit the guess rate. A network attempt every 50-250ms is a lot less efficient than a hundred million attempts a second.

    • studiotott - 10 years ago

      Still doesn’t feel very secure! If someone really want’s to get to you, he can.

      • standardpull - 10 years ago

        Here are some tips if you are concerned about security: (1) never reuse passwords (2) change your passwords frequently (3) never share passwords (4) use strong passwords (5) never store highly sensitive files online (6) monitor your accounts (7) use multi-factor (8) minimize the number of services you use (9) don’t trust any third-part services to do anything (10) keep your software up to date (11) understand 3rd party privacy practices, statements, and agreements (they are never in your favor) (12) Use strong encryption everywhere (13) check that strong encryption is in use whenever you are entering data into a web site (14) assume that all on-line data is unencrypted and public (15) never trust anyone else’s device or network.

        These are the basics. Those that are well known public entities (politicians, executives, celebrities) need to be doubly-diligent. Sadly, they are often just as dumb as a typical teen.

      • macmaniman - 10 years ago

        (16) stay offline

    • Kawaii Gardiner - 10 years ago

      I wouldn’t be surprised; I have three different passwords – one for financial stuff, one for online forums and another for the stuff like my blog or email. Unfortunately though far too many choose passwords that are far too easy resulting in what has happened – and lets remember that Apple has offered two step verification yet many opt out of it – so whose fault is it? if Apple forced their end users to adopt two-step verification we would have another group whining about how their ‘freedom of choice’ was taken away. If you’ve got OS X if you use keychain and Safari you can choose super secure passwords with each website having their own password if you want but how many people are willing to actually use it?

      • standardpull - 10 years ago

        You have three passwords total? That’s very risky & insecure.

      • Kawaii Gardiner - 10 years ago

        @standardpull True – ideally I should have a unique one for each service but I’ll probably hold off going to that extreme until Yosemite is released and I can clean up the mess on both computers.

  3. I think this is blah blah talk. I’m not a pro security guy but I think there’s more behind that and it’s not Apple fault.

    • Xanoxis - 10 years ago

      Are you serious? Its Apples tool, it has security flaw, it was there entire time. Its Apples fault and nobody more…

      • nonyabiness - 10 years ago

        Sorry, there’s no other way to say it- you’re wrong. You should always assume that anyone with enough time can crack your account. Therefore, building passwords of a sufficient length, approximately ~15 characters long with spaces, numbers, mixed case, and special characters is the only way to ensure that the user isn’t necessarily the weakest link in their computer security. This assumes the 15 rules in the above post are followed of course. Had the celebs built HALFWAY decent passwords, it would be close to impossible to brute force- even given decades of time to crack, regardless if a max password guess lockout was not implemented.

        Build a decent password.

      • gbcox - 10 years ago

        Sorry, as mentioned in this article (as well as many other places) Apple had a flaw which exposed it to brute-force attacks – which means of course that even if you had a strong password, it could have been hacked. Password timeouts after multiple attempts is security 101 – and they missed it. That is just pitiful. Assigning blame to the victim is extremely lame… and Apple trying to cover this whole issue up by parsing words and running the whole thing through their spin machine is extremely offensive and speaks volumes about their character as a company. I recently also read that their two factor authentication doesn’t include all their services… it’s only a partial implementation – what’s up with that?

  4. jediknight2014 - 10 years ago

    iCloud.com doesn’t store photos. So the question is, how can a hacker get access to the photos on the phone if that’s where they came from? That’s saying, someone remotely gain access to an iPhone? I don’t believe that’s where the photos where taken.

    • Ben Lovejoy - 10 years ago

      If you have someone’s iCloud login, you have access to everything – you can even restore a wiped phone from the target’s iCloud backup and effectively clone their phone.

      • paulywalnuts23 - 10 years ago

        Ben that would depend on how you have you use and have iCloud setup.. If you don’t use iCloud backup then what you have said is completely false..

      • Ben Lovejoy - 10 years ago

        Sure, but that’s a statement of the obvious

      • macmaniman - 10 years ago

        well thing is, if i enter that information on a “new” phone i get a notification email

      • Ben Lovejoy - 10 years ago

        You do, but again, if the email account is an Apple one, you can control that too …

    • Bruno Fernandes (@Linkb8) - 10 years ago

      With the appleID and its password, one could gain access to the Photo Stream – that’s just one way to get photos.

      IMO, the hardest part of the entire process, or the piece of the puzzle that started this whole thing is the first or first few email addresses – how did the attackers get them?

      • Ben Lovejoy - 10 years ago

        It only takes one email address to kick-start the process …

      • Bruno Fernandes (@Linkb8) - 10 years ago

        Ben: all it takes is one

        Me: But where did they get that 1? It also only takes is one correct lottery ticket to win…

        BTW, how about updating the comment system on here to allow replies more than two levels deep? And editing of own posts for at least 10 minutes after initially posting.

      • Jassi Sikand - 10 years ago

        It only takes 1. You hack one by random guessing (see script), and you have contact list

    • tekenology - 10 years ago

      If you sign in to the iCloud account on your Mac, you can get access to the photo stream through Finder and iPhoto. This can also be done on a PC as well. If they got this info and the people had their photos sync with iCloud, then you can receive all photos within a few minutes

  5. Taste_of_Apple - 10 years ago

    This might explain some things. Other alleged details don’t line up though. I’m waiting to see additional information. If it is an iCloud issue, Apple better double down on their security.

  6. There is alot of indicators pointing to this coming from an Dropbox exploit.

  7. Matthew Sims - 10 years ago

    Once again this “hack” comes down to poor password management by the users. If this steers more people to use services such as LastPass or 1password then at least something positive can come of it.

    • Harry Callahan - 10 years ago

      Apple makes it devilishly hard to use a strong password. You have to type in your Apple password every time you install an app. On mobile devices with their limited keyboards, typing in a strong password is a huge pain. The design of touchscreen keyboards requires an awkward layout switch for even the most basic of password requirements such as having both letters and numbers in the password. Until very recently, Apple did not support two-step authentication for most services, and their implementation still lags everybody else’s in major ways (e.g. lack of offline generation of auth codes). For a company that prides itself on design and ease of use, their security architecture is stunningly lacking on both counts.

      • c1ce091b - 10 years ago

        I have 1Password, and for my mobile devices, its a single step to copy a password from that application and then paste it into Apple’s password prompt, or any other service that requires a password. One extra step… thats it.

      • Matthew Sims - 10 years ago

        If you have an iPhone5S (or in a fortnights time an iPhone6) you can use TouchID to authenticate for app installs, updates, iTunes purchases etc. If you use 1password/LastPass/intertpasswordmanagerhere then you can copy paste long complex passwords with just a few taps. Probably 90% of my passwords are so long and complex even I don’t know what they are without the password manager (which is encrypted and multi factor authentication protected).

        Apples mistake here is having poor brute force detection systems. the actual fault over weak passwords is purely down to the user.

      • huges84 - 10 years ago

        I use LastPass and it will copy the password to the clipboard. Then just paste it in. I have a 20 random character password.

  8. Marc Witteveen - 10 years ago

    You can find the leaked photos online. If you look at the EXIF information of the photo you’ll see that a lot if not the biggest part of the photos are made on Android devices. It is never the less possible to upload photos from your Android phone to an iCloud account using w.g. your Mac. I do not have proof of it but I think that it is more likely that the photos came from another cloud service such as Dropbox or Google Drive.

    Another possibility could be that the mobile devices where hacked when the celebrities where at an event, e.g. Emmy and used an unsecured or spoofed wireless access point.

    My question is, why would you store such private content on a cloud service, controlled by others vs. having your own controlled cloud service, e.g. Bittorrent Sync with a NAS in your own premisses comes to mind.

  9. tekenology - 10 years ago

    Very interesting…

  10. Joshua Hale - 10 years ago

    Why is it always Ben or Stephen that always posts this type of news? hmmm…

  11. Fake Sound (@Secrxt) - 10 years ago

    Oh, so this was probably just a brute force attack? Thank goodness. I was freaking out. I had me some nudes that I didn’t want going on iCloud but didn’t realize “My Photo Stream” was on at the time. Fortunately, I don’t use bitch-ass passwords for important things like iCloud, lol.

  12. Bruno Fernandes (@Linkb8) - 10 years ago

    This sounds like it could be the work of Samsung trying to smear Apple. ;)

  13. Good for Blink182. Bad for Apple.

  14. 9to5Mac commenters logic = iCloud can’t be hacked so it must be the users fault for uploading private pictures. But wait, its actually Dropbox’s fault, because they can be hacked.

    • Bruno Fernandes (@Linkb8) - 10 years ago

      If you look at the leaked content, after being bored silly (it’s almost all crap), you may realize that it looks like it was collected of a long period of time and from different sources. This doesn’t look like an iCloud/iPhone/PhotoStream security breach at all based on the content.

  15. John Smith - 10 years ago

    Just reading coverage of this on a professional IT security site.

    Their high tech advice for celebrities on avoiding this type of embarrassment ?

    … Don’t take nudie pics in the first place

    …. If you do, don’t upload them to cloud servers

    Sounds more effective than any amount of software patches by apple, 30 random character passwords, two factor ID etc

  16. TBolt - 10 years ago

    On a brighter note – for some of these celebrities – we now have heard of them.

    I do hope this helps people finally learn that cloud storage is not the place to store critical data.

  17. Eric Estro - 10 years ago

    this had not happened with Andrés Manuel López Obrador

  18. raptormissle - 10 years ago

    Not surprised. After all, Apple security was always the Toxic Hellstew.

  19. cdmoore74 - 10 years ago

    This morning in Cupertino…..

    Tim – Phil, we can’t say a word about iCloud next week. Jennifer Lawrence is going to go hunger games on our asses. What do we do?

    Phil – Talk bad about Android fragmentation as we always do!

    Tim – You’re right! Android distributions numbers are always a classless punchline during our keynotes.

    Phil – Lets have Craig do it. We can throw in a joke about his hair.

    Tim – Just make sure you don’t use iCloud when saving the keynote. We don’t want the public to know our plans. Oh wait, that’s how the iPhone 6 parts got leaked on the internet.

  20. Truffol (@Truffol) - 10 years ago

    no one would store their nudes in icloud anymore regardless of how much more secure Apple claims icloud is after they fix the bugs

  21. Andrew Maloney - 10 years ago

    This is totally Apples fault and anyone saying otherwise is a fool. Just about every online service I use locks you out after 3 failed login attempts. This feature was missing.

    Without this lockout you can brute force hack any password of any length, given the time and resources. There are some that have stated you can attempt one user/password combo per 50-250ms, however they don’t take into account that you can have multiple login attempts concurrently brute force attacking the same account.

    Seriously, this is a huge fail by Apple. These strategies have been attempted to hack online gaming accounts for decades. With the failsafes in place said hackers now resort to misleading emails to lure unsuspecting gamers into divulging their personal information.

    I doubt it would have taken very long to hack these at all, and as stated by other users, once you hit one celebrity ‘pot of gold’ you just use their contact list to narrow down your scope of brute force attack. This alone would have allowed a concerted effort at ‘viable’ account, meaning that password of any length or complexity would have ultimately been compromised as all resources could be allocated into attacking that one account.

    So it is all good and well that a patch/bug fix has been implemented to address this, but leaving a security hole this big in your system from a company as big as Apple is a massive let down.

    Given that iCould is on by default and the security flaw is theirs, and not the users, I wouldn’t be surprised if you see a class action suit filed against Apple as a result of this.

  22. Tim Acheson - 10 years ago

    This meaningless statement from Apple is clearly designed to plant seeds of doubt about Apple being at fault, by implying based on no evidence whatsoever that Apple platforms and devices may not be to blame. It is a transparent attempt to deflect blame and discussion of the issue away from iCloud, loyally reported by the corporate tech media without question.

    Indeed, the fact that Apple remains silent about the nature and scale of these breaches very strongly indicates that the corporation is at fault and knows it, because if if they could point the finger of blame elsewhere they obviously would not hesitate to do so — immediately and loudly.

    Apple should already know what caused this breach of iCloud security and unauthorised access to iCloud data. If they truly still do not know, that would indicate further negligence and/or incompetence.

  23. Wow this is completely an insane flaw. I am definitely not a hacker or even programming expert… But it would take me about 30 min, to create a script that would simultaneously try, username-password(for multiple users) combos all day long distributed on multiple machines. I would expand it way beyond the linked github script and try billions of passwords instead of 5000. I am sure I would get hundreds or even thousands of successful matches. Since people have the same password across multiple sites (many of the times), I would then cross reference gmail, facebook, twitter, and try to find these users corresponding usernames on other email/social/banking/etc. sites. I would then try the icloud password all of those sites and now have access to a persons social, political, financial and personal lives.

    This is just something I thought up in a few moments. Imagine what kind of evil the hackers have thought up since they have been at it for the last year or two.! In addition, they were able to hack 50+ celebrity profiles, they no doubt have thousands of more people’s profiles hacked and standing by, or are already actively exploiting them.

    Lastly, this flaw is not only gaping, but it is SO easy to exploit. Any programmer with a elementary understanding of APIs and authentication would be able to implement this. If this flaw was known to many different people (which it probably was ), then you can be sure that many many people have used this and gained peoples passwords. So your not really dealing with one master hacker, but rather hundreds of hackers.

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear