UPDATE–Apple has patched the vulnerability in its Find My iPhone app that likely was used in the attack that led to the publication of private photos belonging to dozens of celebrities over the weekend.
The victims of the breach included actors, models and athletes such as Jennifer Lawrence and Kate Upton. The photos have appeared all over the Internet, including 4chan and various photo sharing sites. Speculation raged over the weekend about how the attack may have happened and whether Apple’s iCloud service was to blame or some other vector had been used.
A mobile security team known as HackApp posted to GitHub in the days before the breach a tool called iBrute that has the ability to take advantage of the Find My iPhone flaw. Members of the HackApp team said they described the tool and a brute-force vulnerability in Apple’s Find My iPhone API at a local Defcon meeting in Moscow late last month. Apple has fixed the vulnerability, which allowed an attacker to try hundreds of possible passwords for a targeted account.
It’s not entirely clear that iBrute was used in the attack, but the HackApp team said in a statement that it had nothing to do with the attack on Apple’s iCloud service.
“I’m really sorry that talk given by @hackappcom and @abelenko on local @DefconRussia a group meeting (@chaos_construct event) few days ago have had such nasty consequences. And blackhat community performed such weak, cheap and ungrateful feedback,” the statement says.
“In justification I can only mention, that we only described the way HOW to hack AppleID. Stealing private “hot” data is outside of our scope of interests. We discuss such methods of hacks in our’s narrow range, just to identify all the ways how privacy can by abused. For everyone, who was involved in this incident, I want to remind, that today we are living in Brave New Global World, when privacy protection wasn’t ever so weak, and you have to consider, that all you data from “smart” devices could be accessable from internet,which is the place of anarchy, and, as result, could be source of undesirable and unfriendly activity.”
The tool released by HackApp took advantage of the fact that the Find My iPhone app, which is tied to a user’s AppleID, didn’t lock a user out after a set number of failed attempts to log in. The unnamed attackers behind the photo breach were able to target dozens of high profile users’ accounts and eventually guess their passwords using the tool and a list of common weak passwords. The FBI has said that it’s looking into the breach, as has Apple.
In a statement, Apple said that it has determined the breach was the result of a targeted attacks against some of its users, but did not involve a compromise of any of the company’s services.
“When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved,” the Apple statement says.
Apple offers a two-factor authentication option for users, but it currently doesn’t protect against the kind of attack that was used in this case. The system uses verification codes sent either via SMS or through Find My iPhone, that the user must enter in order to log in to iTunes, along with a password. However, that second authentication step doesn’t occur when someone simply logs into an iCloud account.
This story was updated on Sept. 2 to add Apple’s statement and on Sept. 3 to clarify that Apple’s 2FA doesn’t protect iCloud logins.