AppleID and iBrute vulenerability responsible for Celebrity Photo Hacks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://blog.gadgethelpline.com/appleid-ibrute-vulenerability-responsible-celebrity-photo-hacks/

Today is one of those days on the internet where, the real freedom of the
internet and the technology we use is questioned. It raises many queries
over privacy and the secrecy of yours, and our content that is stored
online and inside our tech.

Yes we are speaking about the mass Hack that has reportedly seen over 100
female celebrities personal pictures and information stolen from private
accounts. Many of them with nude or NSFW images of some of the best looking
and biggest female stars across the globe. Now we are not here to discuss
who and what has been leaked, (if you want to see that just search for
Jennifer Lawrence) as it crosses that fine line, but how was it accessed.

Many are currently pointing the fingers at Apple, and its iCloud storage
being the place that has seen the hack. It doesn’t seem to be a mass
break/hack in Apple’s storage service more so an access loophole that can
be exploited by many more in the future.

Reports state that the Hacker(s) accessed the Apple iCloud accounts via
loophole in the login security. Reportedly the exploit relates to a project
on the code hosting site Github called ibrute.

A day before the images leaked, the developers of ibrute announced a bug in
the Find My iPhone service means it doesn’t employ brute force protection,
which basically means that a hacked can repeatedly keep using different
password combinations without ever being locked out of the account.

Thus using password creation software, hackers can mass attack AppleIDs
online with the hope that eventually a password match is seen. This system
would of course need an email address of the celebrity that is under fire,
but in today’s digital world this isn’t always the hardest thing to find,
and with one celeb/agent/person in the know had their account hacked, it
would give access to a whole host of other accounts with contacts in.

It’s not confirmed that this is indeed the reason for the leaks, but it
would seem that the iBrute devs have now fixed the issue that allowed the
loophole. There are of course other avenues for hackers to get into
accounts, from Poor password control to simple abuse of trust
(friends/ex-lovers etc.) but with the large scale leak of the nature, we
suspect something a bit bigger has happened.

It does pose the question of just how secure these types of online storages
are, and just to be safe, we would recommend changing your passwords
regularly, and keeping them at a high security.

In the meantime Reddit, Imgur and Twitter are all clamping down on users
and accounts that share and leak the images, but as with all things
internet, once it’s out there, it’s there forever.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!