“Find My iPhone” Exploit Possibly Allowed Celebrity Photo Leak

Update (September 2, 2014): Apple has released a statement providing an update on the situation. I made a new post commenting on the situation here.

Over the past 12 hours, there has been a leak of celebrity photos. Programmers are speculating that the leak was caused by an exploit in the “Find My iPhone” service that allowed brute-forcing of passwords.

To brute-force a password means to try every single possible password until you find the correct one. Online servers have a number of mechanisms that can be used to stop brute-force attacks. For example, a server can limit the number of login attempts from each IP address. After, say, 5 incorrect passwords have been entered, further login attempts can be prevented, thus foiling further attempts to guess the password.

The exploit in “Find My iPhone” made brute-force attacks possible. The basic idea is that if you gain access to an iCloud account using Find My iPhone, then you have access to the e-mail associated with the account; the flaw made “Find My iPhone” a brute-force attack vector. This still leaves one problem for hackers: You can’t hack an e-mail you don’t know about. According to the article, they may have obtained the e-mails of various celebrities by breaking into one account, which is certainly possible if they were able to get access to someone who has e-mailed those celebrities.

So, assuming all this speculation about the “Find My iPhone” flaw was correct, what lessons can we learn from this incident?

1. Do not depend on an online service to provide proper protection against brute-force attacks. A single exploit like this one could allow brute-force attacks to happen. Make strong passwords.

If everyone targeted had used strong passwords, it is unlikely that this particular exploit would have allowed hackers to gain access to their accounts.

2. It doesn’t take much for your e-mail to be leaked. Even if you are careful about who you give it to, if one of your contacts gets hacked, be prepared attacks (phishing, brute-force, etc.) against your own e-mail soon. Educate your friends!

Sometimes, your e-mail is leaked through no fault of your own, but because of someone close to you who was careless. When this happens, you should be prepared for all kinds of attacks that can happen when someone’s e-mail is known. We don’t know how the hackers got into those celebrity accounts, but it is possible they used the same brute-force approach once their e-mails were found.

Another possible attack is phishing. I wrote a post on how to protect yourself against spear-phishing in July.

Leave a Reply

Your email address will not be published. Required fields are marked *