Apple Reportedly Aware of iCloud Flaw Six Months Before Hacking of Celebrity Accounts

[mazz0]

Surely wouldn't trust them with Apple pay now, imagine your credit card information stolen.

Ah, but they don't store your credit card details do they?

 

[skinned66]

It shouldn't matter how long it would take a user to guess - repeated auth failures lockout is just a best practice; that should have have been good enough to implement it.

It looks like they've figured out why others do it the hard way.

 

[scottwaugh]

Tim cook needs to rip the guy in charge of security at Apple on why the flaw was not investigated properly, instead of questioning balic repeatedly.

Some Jobs'ian yelling and shouting is in need, looks like it. Cook is being too nice.

Steve would have called the guy a Bozo and fired him (and probably a good chunk of his surrounding team) - the second step is what Tim should do for this (whomever made the decision to ignore this brute force vulnerability) - its too big an issue to let this slide by for whichever IT guy made the call to ignore it. JMHO...

 

[Arran]

Of course, take precautions, but if you're hacked, burgled, raped whatever it's not your fault - it's the person who did it.

The difficulty of the crime doesn't exonerate the person committing it.

Indeed, but I think a lot of folks are poor at assessing risk. That's the key.

 

[Macinva]

Geeze... all this news is definitely having a great effect on the stock. Come on Apple, pull your heads out of your ass and get this stuff fixed.

 

[Arran]

It shouldn't matter how long it would take a user to guess - repeated auth failures lockout is just a best practice; that should have have been good enough to implement it.

It looks like they've figured out why others do it the hard way.

It is a good practice, I agree, but I wonder how many users would lock themselves out? People forget passwords.

And then there's the malicious element who would deliberately try to fail authentication on others' accounts in order to lock their victims out of their own accounts. Just for kicks.

 

[charlituna]

.
While I am not a expert, I would think that Apple should be able to fix this is far less than 6 months.

Who says they didn't. These photos were gathered over weeks if not months. Just because they didn't have a publicly confirmed lockout doesn't mean there wasn't something implemented internally.

Not that it is a guarantee anyway. If you are a hot female celeb and I get your account name the first thing I'm going to do won't be a dictionary attack. First I will phish you. Then try to reset your password. In many cases these work just dandy

 

[SvP]

I'm waiting or the not Apple's fault crowd.

I love apple products, the culture, heck I love everything about apple EXCEPT the excuses made for them. Apple prides itself on excellence. Until they no longer make quality and excellence a selling point their customers need to demand it and call them out when they under perform.

Making excuses for mistakes & sloppy work will not help Apple.

Ofcourse it's apple's fault. It's an outrage the security was flawed.

But:

On September 1, 2014, hackers breached the iCloud accounts of many well-known actresses, downloading and leaking private photos and videos.​

That's just bad journalism. I'm getting used to it tho; biased, one-sided crap to collect clicks.

I hope the investigation will bring to light how this worked; supposedly there's a ring of collectors and traders that trade illegally obtained photo's from many sources.

 

[charlituna]

Ah, but they don't store your credit card details do they?

No they do not. Nor do they transmit said information in any form or fashion.

But don't worry some "security researcher" will claim to have found a bug, etc

 

[skinned66]

It is a good practice, I agree, but I wonder how many users would lock themselves out? People forget passwords.

And then there's the malicious element who would deliberately try to fail authentication on others' accounts in order to lock their victims out of their own accounts. Just for kicks.

You bring up some valid points - wherever there is a vector for griefing it will be exploited. There are ways to combat this though. Apple has both the time and the resources to get it done; they don't even have to re-invent the wheel.

 

[TMRJIJ]

To all Apple haters. Please read and reply to this.

- iCloud hacks

Celebrities used weak passwords. Apple doesn’t have a limit on wrong password inputs.. . . they should though.

- iOS 8 issues/iOS 8.0.1 issues

Ridiculous. Apple needs to fix this. . . NOW! Oh and btw, don’t update iOS device on first day.

-iPhone 6 Design
Design is nice. Bezels don't matter. Shut up and take my money

- Bentgate

Um . . . Physics. Aluminium is supposed to be malleable. Next time, don’t ask for a thinner phone. Thin and metal don’t go together correctly. Get a case fool. Stop wearing skinny jeans .
It might actually be a hidden Apple Feature. Possible flexible iPhone 6S or 7 in the future

- HealthKit issues

Part of 'iOS 8 issues’. It needs to be fixed. . . . NOW!

- iPhone 6 RAM

You think RAM is free? You want to pay extra for more memory? iOS doesn’t hoard RAM like Android does.
Don’t like 1 GB RAM? Download more RAM! ( you can’t really.)

- Free U2 Album issues

You shouldn’t have enabled automatic downloads in iTunes .


- Restricted NFC chip

A business decision that not everyone agrees with. The same happened with TouchID. It will open up in iOS 9 . . . maybe.


- Keynote streaming issues

FAIL!

 

[iThinkIt]

Elliot Carver: Mr. Jones, are we ready to release our new software?

Jones: Yes, sir. As requested, it's full of bugs, which means people will be forced to upgrade for years.

Elliot Carver: Outstanding.

 

[charlituna]

Whether this particular flaw was used to steal the celeb photos is irrelevant. The concerning thing is that Apple was shown a genuine security issue with their services and responded by patting the hacker on the head condescendingly and telling him to run along and play.

Were they and did they. Seems to me that he didn't really show them a major flaw. Just because you can't try 20k passwords doesn't mean you will always hit the right one or that no one at Apple wouldn't be alerted.

And you have no proof of what they were or were not doing. They aren't going to tell this guy their game plan so he can use it against them after all.

----------

Now will these Celebs SUE Apple?

That is the curious thing. All these alleged breached iCloud accounts and none of them seem angry at apple. They didn't need reports like this to claim Apple screwed them. Why haven't they? Perhaps because they know exactly how the information got out and apple wasn't the issue

 

[rantor49]

Surely wouldn't trust them with Apple pay now, imagine your credit card information stolen.

You obviously know nothing about how apple pay works.

 

[charlituna]

No. The people who used brute force attacks to steal people's private photos are at fault and should be prosecuted to the fullest possible extent if caught, along with anyone sharing them.

Show us your iron clad proof that is what happened here. You can't because you have none. Just like no one has proof Apple really ignored this report etc

 

[tbrinkma]

So in your world, breaking into someone's account is okay, as long as they used "weak security" (whatever you judge that to be)? And stealing and sharing private nude photos from those accounts is also okay?

You have some really bad reading comprehension issues. I have no idea at all where you came up with the idea that he's ok with breaking into someones account *at all* from:

I'm pretty sure it was determined that the brute force attack wasn't used for this hacking. It was stupid people not keeping their stuff secure. Also pics didn't all come from iCloud. Same "hack" was used with Gmail and Android backups.

All he pointed out was that the evidence doesn't support the claim that this security flaw had *anything* to do with the photo release incident.

 

[kemal]

Guessing passwords isn't much of a hack.

Not having exponentially increasing login delays after failed attempts is epic fail.

Disabling an internet accessible account after n failed login attempts is a bad idea. Script kiddies would disable random accounts to make your day.

 

[tbrinkma]

Basic password security concepts have been around for decades and work well. The two most common are:

1. Delays between failed password attempts after a fixed number of tries.
2. Max failed attempts before either a phone call is needed or a very long delay.

Apple appears to have used neither and that makes brute force approaches viable. The inclusion of either will mostly eliminate brute force attacks.

Many people tend to pick poor passwords, even when they meet the length/case/numeric restrictions. This wont change, so other means are needed to protect things.

The two step process is a good start towards better cloud security. More is needed like the two above and other similar ideas. Its not rocket science.

Throttling login attempts is a common method to help prevent brute force attacks, yes. However, it also has the problem that, if you throttle too far, you can end up creating the possibility of a DOS for a user.

You saw the unrestrained glee with which these folks released 'naughty' pictures of famous actresses, right? Don't you think they'd take equal (or possibly even greater) glee in being able to prevent those same actresses from ever seeing their own email accounts?

 

[shabbasuraj]

I don't blame Apple.

If these celebrities would simply read the End User Agreement of all their devices and software, they would know that Apple is not at fault.

Simple.

 

[emeybee]

If your password is Password123, any loss of data is really self inflicted and you have nobody to blame.

Would you say it's also a rape victim's fault if they don't have bars on their windows?

This is the fault of the jackasses who hacked the accounts, NOT the women who were victims.

 

[tbrinkma]

Oh please.
Yes the people should bear some responsibility but so should Apple.
Hypothetically let’s just say I;
a) Go to the bank and get a cashpoint card and I’m allowed to choose my own pin. I choose the number ‘1’.
b) Go to the bank and get a cashpoint card and I’m allowed to choose my own pin. This tme I choose the numbers ‘1, 3, 6, 4, 6, 2, 8’.

One is significantly more secure than the other. This because the card provider has made it impossible to choose to simple a pin code. Apple are no different, they can provide a choice of not so common questions if they choose.
You know, ones that are still personal but;
The registration of the first car you owned.
Number of children your great grandmother had.
Your height in inches/cm/mm.
Your weight in pounds.
Total number of characters in your uncles full name.

…and so on.

In your list of "not so common questions", you've listed *two* thing you're not likely to be able to find out about a celebrity with a few hours of research *at most*. One of those simply takes uncommon (but not rare) access to get easily and quickly, but in any significant hacker community, you're likely to have *someone* who has or can get that needed access with minimal effort/risk. The other you can probably find it within a day or so, if you know what you're doing.

Good 'security questions' are hard to come up with. They're even *harder* to come up with when they are going to be applied to people whose whole *lives* are analyzed by the masses.

----------

Because the existing system with magnetic strip on cards is SO much more secure! No way you'll ever have problems using it with reputable chains like Goodwill, Target or Home Depot. No sir!

With ApplePay your credit card information never leaves your phone. Instead, transactions are done with one-time codes. If (when) there's another massive breach like Target or Home Depot, the only people's info who *won't* be exposed are the people using ApplePay, because the information from the ApplePay transactions *CAN'T BE REUSED* for future transactions.

----------

You realise what you gave as an analogy is just another example of victim blaming, right? For rapes to stop, people need to stop raping. If a person rapes, that person is to blame. Attempting to control people by telling them not to walk down alleys and then blaming rape on them if they don't listen to you is victim blaming.

FTFY.

Most people don't realize this, but studies have shown that rape victims are split about 60:40 by gender, not the generally assumed 99:1 ratio.

 

[cashxx]

I don't think it was just iCloud. iCloud is taking the heat, but the pics I seen had dropbox files in with the pictures and iCloud wouldn't back those files up!

 

[gnasher729]

Ah, but they don't store your credit card details do they?

Not only does Apple not store them, they never even see them. Even if they wanted to store your credit card details, they couldn't.

----------

Would you say it's also a rape victim's fault if they don't have bars on their windows?

This is the fault of the jackasses who hacked the accounts, NOT the women who were victims.

So you agree it's not Apple's fault, right? Because this whole discussion is not about the hackers' fault, which nobody every put into doubt, but whether it is the fault of iCloud. So this isn't blaming a victim about having no bars on their window, it's blaming the landlord for not putting bars on the window, and it turns out the victim left their front door open.

 

[Carlanga]

cue the applelogetics

 

[tbrinkma]

Legit user just resets password. Issue resolved.

Unless of course the first step is to check for piss poor security questions and get in by resetting the password. And immediate change the credentials to keep the real user out

Ok, the legit user resets the password. Now what?
In the next few seconds/minutes/whatever, the DOS has *again* submitted however many incorrect password attempts it takes to lock the account.
Rinse.
Repeat.

I could, if I were an *******, demonstrate the futility of unlocking an account and resetting the password in the face of a determined DOS by writing a quick bit of javascript that submits bad login attempts to MacRumors for *your* account on whatever schedule will keep you from being able to use your account here. The only way your account would stay unlocked for any useful amount of time would be if I were to correctly guess your password and thereby avoid locking it. But that wouldn't be my goal.