Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple 'Actively Investigating' Possible Hacking of Celebrity iCloud Accounts
- Thread starter MacRumors
- Start date
- Sort by reaction score
I guess if the celebs in question are pissed about the invasion of their privacy, it means they had something to hide.
NSA needs to be tracking these terrorist individuals. You can't hide things these days and expect to remain free from prying eyes.
Isn't that what everyone here always says? "If you have nothing to hide, then don't worry about someone seeing what you post or store"?
Also this whole thing stinks heavily of a conspiracy against Apple. How fitting this happens one week before Apple's yearly event. How fitting this all gets 'leaked' in one day on a long weekend here in the states.
NSA needs to be tracking these terrorist individuals. You can't hide things these days and expect to remain free from prying eyes.
Isn't that what everyone here always says? "If you have nothing to hide, then don't worry about someone seeing what you post or store"?
Also this whole thing stinks heavily of a conspiracy against Apple. How fitting this happens one week before Apple's yearly event. How fitting this all gets 'leaked' in one day on a long weekend here in the states.
Unlikely. First, the celebs would have to prove that the source of the images is their iCloud account and not someone who they may have shared the photos with. Second, the iCloud terms of service explicitly say that Apple does not guarantee against hacking or other security breaches:
These photos have probably been collected over the years from multiple sources. The fact that Apple recently closed a security issue that allowed multiple password attempts without locking out the account is possibly related or possibly just a coincidence. I really doubt that all these images were all collected one day last week.
Celebrities aren't typically known for technical competence. It's very likely sloppy handling of data, devices, and/or passwords is to blame for some of these leaks. Not that this excuses the invasion of their privacy, but if you're going to take naked pictures of yourself and it's vitally important to you that they do not get out, you should really understand how to keep them private. Scumbags will be scumbags.
"This breach is different from other recent celebrity "hacks" in that it used a near-zero-day vulnerability in an Apple cloud interface."
This breach is also different in that there isn't actual proof that there was a breach yet...
This is why...
This is exactly why I tell everyone I know that placing anything on a server opens you up to crimes such as identify theft and a whole host of other crimes.
I think Apple has a whole lot of explaining to do.
This is exactly why I tell everyone I know that placing anything on a server opens you up to crimes such as identify theft and a whole host of other crimes.
I think Apple has a whole lot of explaining to do.
that's why i'm not at all worried about my iCloud account. I have nothing to hide in there, and nothing important, so honestly if someone hacked it, it wouldn't really make me upset at all.
Ddi you see that part?
ZDNET article
http://www.zdnet.com/apple-patches-find-my-iphone-exploit-7000033171/
This is a PR nightmare for Apple, wouldn't wanna be in that department right now.
World stars are tweeting out things like "Thank you iCloud" from @kirstendunst
They screwed up BIG TIME if they allow brute-force.
AND they want to present HealthKit in a couple of days - good luck with that!
World stars are tweeting out things like "Thank you iCloud" from @kirstendunst
They screwed up BIG TIME if they allow brute-force.
AND they want to present HealthKit in a couple of days - good luck with that!
Unfortunately, the explaining is due to a "hacker's" claim on 4chan about where these photos came from at this point...which Apple haters are having a field day with acting as if it's already true. There's nothing wrong with point out Apple's fault, even gloating about it if true. However, at least wait until it's proven and stop claiming that it's already a fact.
----------
Yes, also not proven...really taking arstechnica down a notch as far as respect goes here.
"reportedly" should read "allegedly".
Facts are not welcome by the masses here on the internets. If people actually wanted them they would consider, and not ignore the posts (previous in this thread along with on multiple other sites) that offer an alternative (and potentially more likely?) explanation as to what actually happened.
Phishing scams probably weren't necessary - there was definitely a security issue with iCloud.
The problem was that a "Find My iPhone" API was allowing unlimited attempts on passwords (no rate limits, lockouts after too many attempts, etc).
So all a hacker would have needed is a user's iCloud ID and they could run a brute-force attack, which will eventually guess most passwords that aren't highly secure or completely random.
Apple fixed the issue within the last 24 hours, after the release of the "iBrute" tool which exploited it.
Note: Enabling 2-factor authentication for iCloud will protect you from this kind of attack!
iCloud buggy for a long time
I have a locked out device I'm still waiting for Apple to activate from the first flawed Find My iPhone problem. I've been talking about problems with iCloud and "Find" on the forums and this pretty sweet karma for Apple.
I hope this puts a good dent in holiday sales for them.
I have a locked out device I'm still waiting for Apple to activate from the first flawed Find My iPhone problem. I've been talking about problems with iCloud and "Find" on the forums and this pretty sweet karma for Apple.
I hope this puts a good dent in holiday sales for them.
And yet its been stated multiple times that the images came from multiple people and span a long time period. Some of the filenames are indicative of other sites such as dropbox, Facebook, twitter, etc.. and many of the photos were taken with Android devices (which lowers the odds of them using iCloud in the first place).
Not that any of that is true either, but at this point its equally as valid an explanation as iCloud being hacked since nothing has actually been proved yet.
you guys who feel sorry for the celebs... really? they made those pictures, so why do you feel sorry for someone who feels the need to let other people see them naked? It's nobody's fault but their own. Don't blame apple, samsung, google, sony, or any other company for this. blame Jennifer Lawrence, Mary Elizabeth, Kate Upton, and Kristen Dunst....
So does that go for the rest of the internet too? Or just anyone pointing out that this existed. Apple patched it today. So if nothing existed then why patch for it?
ZDNET has the exact exploit and process that was used. The exploit was uploaded to Github yesterday as proof.
http://www.zdnet.com/apple-patches-find-my-iphone-exploit-7000033171/
Sorry, but 24 hours sounds like a VERY short amount of time to brute force hack fifty accounts, find and access this data in a device backup, shop the photos around, then break the news to the world...before 7 PM yesterday.
Yes, we know how it could be done. But, it doesn't mean it was done that way. That's where the leap is. Only a very weak password would allow a network based brute force attack of any kind. Even if there was a brute force bugs, other things are usually looked at in logs that would have triggered concerns independently if this was done on a large scale for a long time on many accounts.
So, possibly a combination of this bug and a weak password; having a email account name with some info linked to your ID doesn't help either since it can be guessed too. The email used for security verifications should not be linked to your name, not be logged with a password used elsewhere and not given to anyone.
For now, all we know some photos came from Icloud, not much else is known. The truth is out there. X files theme plays ;-).
Answering Reason077
So all a hacker would have needed is a user's iCloud ID and they could run a brute-force attack, which will eventually guess most passwords that aren't highly secure or completely random.
------------
While there may not have been a lock out mechanism, there are usually other independent security mechanisms at play that do establish a limit on how many attempts you can do before being detected and how fast they can be. Guessing a random password accross the web if the password is complex enough in 24h would require an almost denial of service like access to the Apple servers... That would be noticed.
Improbable that this would not be detected. A shorter, non complex password is most probable, because that's what 90% use even though they've been warned not to use them and because its doesn't require some feat of supernormal access.
Last edited:
Thats not what happened......they released the exploit just 24 hours ago. That doesn't mean it only existed for 24 hours. They released it as proof.
This goes for anyone that is already flat out claiming these photos came from an iCloud breach when the ONLY information pointing to that is from an anonymous 4chan user. Apple will be forced to reveal what happened, likely early this week...THAT is when you can run with the Apple hatred, slander, etc etc. For now, just sit there all giddy with your fingers crossed that this company you hate messed up.
Well, you may say that but it's been all over the main stream national news here in the UK and their fingers are pointing at Apple:
http://www.bbc.co.uk/news/technology-29011850
http://news.sky.com/story/1327908/fbi-investigating-leaked-nude-celeb-photos
And I don't think Apple's PR control is very good when they state no comment!
Also, people on here could have their entire personal information and medical information leaked due to very very poor security on Apple's systems and they would STILL never ever blame Apple.
Anyway, if anyone thinks any prosecutions will come, no chance, you can track anyone on the net but even if the do find the culprits, is anyone going to press charges?
Oh and as for passwords, hahahahahaha you would be shocked at the passwords people use, and that is people from ALL walks of life and age.
I'm sure it didn't exist for just 24 hours but it's likely that tool would have been involved. Regardless, ALL of this is speculation.