Apple is investigating vulnerabilities in iCloud after the service was exploited to hack the accounts of celebrities, leading to the publication of nude photos and videos. There are reports of more than 100 female celebrities being compromised.
A posting on GitHub, an online code-sharing site, by hackappcom said the group had discovered a bug in the Find My iPhone service, which tracks the location of a missing phone and allows a user to disable the phone remotely. The bug allowed an outside user to try passwords repeatedly rather than limit the amount of attempts. As a simple measure of security, most online services lock down an account after multiple attempts.
Some media outlets are claiming a brute force service called “iBrute” was used to gain access to the celebrities’ passwords, gaining them access to photos stored in their iCloud accounts.
The vulnerability was patched, but not until after the damage was done. Severe violations of privacy have occurred. While it appears that it was individual users and not the service that were hacked, it is a very public breach that should affect trust in cloud services in general.
“We take user privacy very seriously and are actively investigating this report,” said Apple spokeswoman Natalie Kerris.
The impetus falls on both Apple and users to protect themselves. Huge amounts of press coverage have made everyone more aware that they are not necessarily safe storing information in the cloud. Security measures are not always baked in. Steps such as using two-step verification are needed on the part of users across cloud services. Strong passwords or better yet, pass phrases greatly reduces the chance of an incident.
The event is a reminder that the general public views cloud as safe by default, thanks to the big technology names behind these cloud offerings. Cloud, however, is only as safe as the services that rest upon them. In the case of iCloud, the Find My iPhone service had a serious issue (Update: Apple Issued A Statement. None of the cases investigated resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone).
The event guarantees that users will be more cautious using cloud services, as the only foolproof way to avoid an attack is to not store online. The use of cloud services will continue to grow, however the event serves as a wake up call that not even the biggest services are necessarily foolproof, and that users must take steps to protect themselves.