Actress Jennifer Lawrence is one of the victims of the celebrity hack

Apple service vulnerability responsible for celebrity hack

A piece of computer code capable of repeatedly guessing a password has been determined as a likely tool used in the high profile cyber-attack that exposed intimate photographs of tens of celebrities.

The malware, discovered on software website GitHub targets Apple's Find My iPhone application with a brute force attack, trying to get hold of the password without being locked out or detected by the user. If successful, the attacker can use the password to access related Apple services protected by an identical password, including iCloud, from where the sensitive images of tens of world famous actresses and models have reportedly been stolen

Technology site The Next Web, who discovered the code said that although there was no direct evidence, the timing of the discovery and the attack suggest the two could be linked. 

"The Python script found on GitHub appears to have allowed a malicious user to repeatedly guess passwords on Apple's 'Find my iPhone' service without alerting the user or locking out the attacker,” said The Next Web’s Owen Williams.

"Given enough patience and the apparent hole being open long enough, the attacker could use password dictionaries to guess common passwords rapidly. Many users use simple passwords that are the same across services so it's entirely possible to guess passwords using a tool like this.”

The Next Web tested the code but found it was no longer working, locking the attackers out after about five wrong attempts to enter the password. This suggests Apple has already issued a patch. A comment on the GitHub website below the original post with the malware code said: "The end of the fun, Apple has just patched." However, Apple has not yet commented on the breach.

The malware reportedly used a list of 500 most common passwords as approved by Apple to perform the attack on Find my iPhone.

Stars including actress Jennifer Lawrence and model Kate Upton saw intimate photos posted on forum site 4chan on Sunday evening.

Experts have pointed to the weakness of many internet users' passwords, and basic security knowledge as being the cause for the widespread leak.

iCloud is Apple's own cloud service, a wireless storage facility that can be used to access files remotely. Other notable services include Dropbox and Google Drive, which enable users to keep more of their files close to hand without taking up huge amounts of memory on their devices.

"Cyber security is not just a technology problem, humans are very much key to its success. In our day-to-day work we see too many cases of employees divulging sensitive information without first verifying the legitimacy of the request,” said Rob Cotton, CEO at web security experts NCC Group

"People often point the finger at technology when they've been the victim of a cyber-attack, but poor password choices or naivety in the face of a seemingly innocent email is regularly to blame."

Human error, in a variety of ways, said Mr Cotton, often played a part.

"Last year NCC Group successfully compromised the iCloud account of a journalist as part of an authorised demonstration using a mixture of social engineering techniques and subterfuge - and the amount of information we were able to access was shocking," he said.

Separately, Wired reporter Mat Honan had his iCloud account breached and his devices wiped after hackers used a mixture of public information and social engineering when contacting Apple technical support, in order to gain access.

Stefano Ortolani, security researcher at online experts Kaspersky Lab said: "In order to make your private data more secure, you should cherry-pick the data you store in the cloud and know, and control when the data is set to automatically leave your device.

"For instance, in iCloud there is a feature called "My Photo Stream" which uploads new photos to the cloud as soon as the device is connected to Wi-Fi; this is to keep photos synchronised across all your devices. Disabling this option might be a good starting point to be a bit more in control."

While the security of the cloud will now come under increased scrutiny, Ortolani points out that some element of risk has always existed.

"The security of a cloud service depends on its provider," he said. "However, it's important to consider that as soon as you hand over any data including photos to a third-party service, you need to be aware that you automatically lose some control of it. This is also the case for when you upload something online."

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them

Close