Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Reportedly Aware of iCloud Flaw Six Months Before Hacking of Celebrity Accounts

Lots of companies fail to take action until they're forced to. It's the culture created for personal gain. The skilled people at Apple are now motivated to address and fix this.
 
viacavour said:
2FA can't be implemented by scrambling. We know Apple has been working on it for months.
Click to expand...

2FA might take time, but it doesn't take 6 months to develop code to lock out an account after a certain number of failed attempts. That's a standard feature that virtually every online service with a login does, even Macrumors. Apple just didn't take it seriously.
 
556fmjoe said:
2FA might take time, but it doesn't take 6 months to develop code to lock out an account after a certain number of failed attempts. That's a standard feature that virtually every online service with a login does, even Macrumors. Apple just didn't take it seriously.
Click to expand...

I'm sure you don't believe this statement is true.

I'm also sure Apple thought about locking accounts after X failed logins, but chose not to because of the overhead involved to deal with locked accounts. Of course, in hindsight that looks like a bad choice.
 
pacohaas said:
I'm sure you don't believe this statement is true.

I'm also sure Apple thought about locking accounts after X failed logins, but chose not to because of the overhead involved to deal with locked accounts. Of course, in hindsight that looks like a bad choice.
Click to expand...

I absolutely believe that they dismissed it as not important. The account doesn't even need to be locked. Just requiring a 15 minute wait would slow a brute force attempt to a crawl and render it useless.
 
Dear oh dear

MacRumors said:
[url=http://cdn.macrumors.com/im/macrumorsthreadlogodarkd.png]Image[/url]


Apple knew about an iCloud security flaw six months before it was utilized to hack celebrity accounts on the service, reports The Daily Dot. The company was notified of the exploit by independent security researcher Ibrahim Balic, who shared emails between himself and members of Apple's product security team.

In an email from March 2014, Balic told Apple that he was able to bypass the security of any iCloud account by using a "brute-force" hacking method that was able to try over 20,000 password combinations. Balic recommended to Apple that it should implement a feature in iCloud that prevents log-ins after a set number of failed attempts, and even reported the exploit through Apple's Bug Reporter. Balic was also the developer said to be behind the extended outage of Apple's Dev Center last year.

In May 2014, Apple emailed Balic and questioned the validity of the exploit, stating that it "would take an extraordinarily long time" to find a valid authentication token to get into an iCloud account using the flaw. Balic states that Apple continued to ask him about the exploit and how it would be utilized.

On September 1, 2014, hackers breached the iCloud accounts of many well-known actresses, downloading and leaking private photos and videos. While it was not initially known what caused the breach, The Next Web linked to a Python script on Github that may have been used for the hacking. The script utilized a brute-force like method which allowed hackers to keep guessing passwords without being locked out.

Apple acknowledged later in the day that it was investigating the breach, ultimately leading to comments from CEO Tim Cook along with new security implementations. Those implementations included automatic emails when iCloud accounts are accessed via web browsers, automatic two-factor authentication for iCloud.com, and mandatory app-specific passwords for third-party apps accessing iCloud.

Article Link: Apple Reportedly Aware of iCloud Flaw Six Months Before Hacking of Celebrity Accounts
Click to expand...

Apple have had 2 step verification on the my apple id site for ages i have no idea why they never implemented it for iCloud until after it was hacked.
 
milo said:
Is that really what happened? It sounds like hackers had been collecting those pictures for months if not years, they just started releasing a bunch all at once on that day.
Click to expand...

Even they admit that this was an ongoing thing. And there are only like 5 confirmed iCloud users in the whole collection.

----------
QCassidy352 said:
This article seems to be saying a brute force method is how the accounts were breached, yes?

That's not the story that's been reported for weeks now. The reported story is that this was done by obtaining (through Facebook, Wikipedia, etc) the answers to security questions.

I understand that this guy wants to make himself look good and apple look bad, but unless all the reports have been wrong to this point, what he's saying may be relevant in some sense but is not why these celebs' accounts were breached.
Click to expand...

no one is really saying how it happened. except that Apple says they were not the targets of a massive network traffic etc that would be present during a brute force game.

But if it was security questions, phishing or something else, who knows. just like the truth is that, aside from maybe five folks that admitted they use iCloud, we don't know if that is what was 'hacked' or if it was email, google drive, dropbox etc
 
Manzzle said:
Another bad Apple. I've been seeing nothing but more bad news since Apple allowed the preorders of the iPhone 6.

I don't think I'll be using Apple pay anytime soon.
Click to expand...


It's always bad Apple's

When have we seen a good one ?

It's understandable to say "I don't believe you, let my do my own tests, or I need more poof"

basically, customers are little guys to company security who reckon they know better than they do.
 
First, it was hacker's faults. You cannot blame Apple or the celebrities for being robbed of private information. No robbing is victim's fault.

Having said this I think Apple should improve its security, specially implement and force users to use 2-step verification, specially for a service like iCloud which stores almost everything, even the keychain of all passwords...

And celebrities, as all other users should have a better knowledge of what secure means. ie. beware of public wifis, use proxies, disable auto-connect and so on. Also use more complex passwords and different for each service.

It's always useful to remember this: http://xkcd.com/936/
 
Hard to feel sorry for spoiled brat celebrities who certainly don't mind sharing themselves with the public when it nets them millions of dollars. And, how stupid are they to post nudes on cloud servers? It's as bad as leaving your keys in the car and wondering why it got stolen.

This is THEIR own fault and I don't see why anyone should be crying for some snooty celebrities who posted compromising photos of themselves. Tough cookies.
 
Only 9 naked celebrities have contacted Apple about their leaked iCloud photos out of 100 million users...

can we say witchhunt/conspiracy/over-reaction?!?
 
charlituna said:
But if it was security questions, phishing or something else, who knows. just like the truth is that, aside from maybe five folks that admitted they use iCloud, we don't know if that is what was 'hacked' or if it was email, google drive, dropbox etc
Click to expand...

Not only that, but in the case of a number of the celebrities there were only a couple pictures. When they have dozens of pix from one person it seems likely there was access to an account but if it's just one or two it could just as well be that they were made public by a pissed off ex boyfriend. Not to mention that a number of pictures are things like headless shots as well as "celebrity" pictures that don't look like any celebrities (or ones claimed to be a particular person that obviously aren't). No question a few accounts were accessed but beyond that small number the rest seems like the kind of leaks that have been happening on a regular basis for years.
 
kas23 said:
Doubt it. People still bring up:

How Safari was unusable when the 3G came out
The cracks in the back of the 3G/3GS
Antennagate
Apple Maps
The purple haze in the photos of iPhone 5
Etc.

Plus, it's nearly a month since the photos leaked online and we're still talking about it.
Click to expand...

There's a big difference between a few people on MacRumors talking about it and the mainstream media focusing on it. That's my point. ;)

----------
Zxxv said:
much goodbye over nothing? :confused:
Click to expand...

I see the grammar and spelling patrol are out in force. :rolleyes:

----------
Dagless said:
Awful victim blaming. "If she didn't want to get raped why did she dress like that?"

If you get hacked it's the hackers or people who gained entry into a private account who are to blame.
Click to expand...

Yes, but if you know there is a murder/rapist roaming your neighborhood and you leave your doors and windows unlocked, that's pretty dumb. People shouldn't murder, rape, or hack, but they do. So better to be safe than sorry. ;)
 
jthomps123 said:
Only 9 naked celebrities have contacted Apple about their leaked iCloud photos out of 100 million users...

can we say witchhunt/conspiracy/over-reaction?!?
Click to expand...
It's still an important and bad issue despite the numbers. Who knows how many other accounts might have also been compromised that simply didn't have something worthy enough to be publicly released or included in this particular release of the times (which was already specified to be just a limited sampling of what was obtained).
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back