Flaw in Apple iCloud's Find My iPhone blamed for leak revealing celebrity photos

Apple, FBI launch probes embarrassing data breach
Tools

Various reports point to a failure in Apple's iCloud security system, ultimately leading to the leak of several celebrities' nude photos to the Internet.

The flaw appears to be with iCloud's Find My iPhone service, explains Owen Williams with The Next Web.

"The vulnerability allegedly discovered in the Find My iPhone service appears to have let attackers use [a brute force attack] to guess passwords repeatedly without any sort of lockout or alert to the target," Williams explains.

Both Apple and the Federal Bureau of Investigation are investigating the alleged breach, the Los Angeles Times reports.

With the upcoming launch of its iPhone 6, the last thing Apple wants is a security breach fiasco.

"We take user privacy very seriously and are actively investigating this report," Apple spokeswoman Natalie Kerris tells Re/code.

The source of the photos--which first appeared on the image-based message board 4Chan and later spread to other more mainstream sites--has been speculated to be anything from direct thefts to deep-web celebrity pornography trading rings, but the original 4Chan thread and leaker said the photos were culled from iCloud accounts.

Darien Kindlund, director of threat research at FireEye, tells Re/code that Apple's security setup for cloud accounts is lacking, regardless of the company's involvement in the leaks. He noted that Apple has been too slow in widely adopting two-factor authentication, which adds another hurdle for potential hackers.

"In general, Apple has been a little late to the game in offering this kind of protection, and doesn't advertise it," Kindlund says. "You have to dig through the support articles to find it."

Two-factor authentication, which Apple refers to as "two-step verification," is a process offered by such sites as Dropbox, Google and Twitter. It relies on a second device for the company to send a temporary code to when accessing personal data. As Kindlund said, Apple has the option available, but it is not their (or many others') default security choice.

Further, it took this incident for Apple to close a well-known exploit in the iCloud password system, according to Re/code. A program called iBrute, which is available (but now essentially defunct) on GitHub, took advantage of the unlimited number of guesses users were given when trying to access iCloud accounts using the Find My iPhone service. This feature led to a gaping security hole that allowed brute force password guessing.

For more:
- check out The Next Web report
- read the Re/code article
- read about two-step verification on Apple and Google support sites

Related Articles:
Apple to include NFC chip in iPhone 6 for mobile payments push
Security and legal ramifications of BYOD
Personal mobile devices cause nearly one-third of corporate breaches in Europe