Find My iPhone online service that may have allowed hackers to get access to a number of celebrities' private pictures leaked online.
OVER 100 CELEBRITIES AFFECTED
So far, I hope everybody have heard about probably the biggest digital exposure of personal nude photographs belonging to as many as 100 high-profile celebrities, including Jenny McCarthy, Kristin Dunst, Mary E Winstead, and the Oscar winning actress Jennifer Lawrence and Kate Upton.
Initial reports suggested that the privacy breach of the celebrities’ iCloud accounts was made possible by a vulnerability in Find My iPhone feature that allowed hackers to allegedly take nude photographs of celebrities from their Apple iCloud backups.
Anonymous 4chan users who claims to have grabbed images, posted some of the images to the “b” forum on notorious bulletin-board 4chan, where the owners demanded Bitcoin in exchange for a peek of the images.
The anonymous 4chan user sparked the scandal on Sunday after dumping a large cache of female celebrities' alleged naked photographs onto the 4chan online forum, an online message board used for sharing pictures. As a result of the leak, the nude photographs and videos of female celebrities are apparently being widely circulated on the internet.
After the story broke by the mainstream media, the affected celebrities including Oscar winner Jennifer Lawrence and model Kate Upton came forward to react on the matter. Within 12 hours, the web has been awash with private and some very personal photographs of celebrities.
WHERE THE VULNERABILITY RESIDES
On August 30, just a day before the massive leak, proof-of-concept code for an AppleID password bruteforce was uploaded to the GitHub by a mobile security team HackApp. What a coincident! Isn’t it?
The proof-of-concept code for the exploit is known as iBrute. The code exploited a vulnerability in Apple’s Find My iPhone application sign in page. The flaw let hackers to flood the site with multiple number of password attempts without being locked out and by using brute-force techniques, hackers could guess the password used to protect those celebrities accounts. Apple patched the vulnerability early on September 1.
FINALLY APPLE REACTED
Apple has acknowledged the attack, but did not address the vulnerability discussed here. The company issued a press release stating that iCloud or Find my iPhone had not been responsible for the leak of several private and personal photos of celebrities.
Rather it said that the celebrities photo breach was a "very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone."
IS APPLE’S TWO FACTOR AUTHENTICATION EFFECTIVE
Apple is encouraging its users to make use of its two-factor authentication service in an effort to prevent security-question based attacks on their accounts.
There is no doubt that two-factor verification makes it more difficult for hackers to obtain a user's login credentials in the first place, thereby preventing many attacks. But an iCloud backup can be installed with just a user name and a password, making two-factor authentication process incomplete.
Unfortunately, Apple’s two-factor authentication currently doesn’t protect against the kind of attack that was used in this case. It does not cover many other iCloud services, including backups. As noted by TechCrunch, the only three things two-factor secures in iCloud are:
- Signing in to My Apple ID to manage their Apple account
- Making iTunes, App Store, or iBookstore purchases from a new device
- Receiving Apple ID-related support from Apple
In fact, it doesn’t make you enter a verification code if you restore a new device from an iCloud backup. And this security hole is what the hackers are taking advantage of.
Using an application like ElcomSoft's software to download an iPhone's backup successfully, one can circumvent two-factor verification mechanism, because of the fact that the two-factor authentication system does not cover iCloud backups or Photo Stream.
HOW TO PROTECT YOURSELF
For users to protect against upcoming threats, follow these advices:
- Whatever be the case with two-factor verification process, you have to enabled it because doing this will definitely add an extra layer of security to your account.
- Try using different passwords for different accounts so that if one breached, you are not all lost.
- Use a complex password and do not share it with anyone.
- Same applies in case of email, use a private email for your ID — one that you don’t share with anyone.
- Don’t click on links provided in emails, visit the given website directly from web.
- Don’t share your personal information over social networks at any cost.
- Most importantly, use completely incorrect or random answers to password reset questions, so that nobody could guess it right.