Nude pic scandal: Did hacker use Find My iPhone loophole?

Supermodel Kate Upton, one of the alleged targets of a nude photo hacking scandal to rock Hollywood. Photo/Getty
Supermodel Kate Upton, one of the alleged targets of a nude photo hacking scandal to rock Hollywood. Photo/Getty

A flaw in the Find My iPhone function of Apple's iCloud service may have helped a hacker to steal nude photos of Jennifer Lawrence and "100 other celebrities".

The hacker claims he or she broke into stars' iCloud accounts, including those of The Hunger Games actress, Kate Upton and Rihanna, before publishing them on 4chan, the image-sharing forum.

A list of the alleged victims of the hack - a staggering 101 in total - has also been posted online. Most have not yet had any photographs leaked by the hacker, but snaps of Jennifer Lawrence were confirmed as real by the actress' publicist.

Following the publication of the images, experts have voiced their concerns over how the hacker managed to access them. Now, reports suggest that a specific flaw in the Find My iPhone service may have been to blame.

Despite the story breaking last night, Apple is still yet to confirm or deny whether its software was the target of the hacking.

However, in the meantime, it has quietly issued a "patch", or fix, for the bug.

Launched in October 2011, the firm's iCloud service is now used by more than 320 million people worldwide.

When activated, it automatically stores users' photos, emails, documents and other information in a 'cloud', allowing them to sync the data across a range of platforms. These include iPhones, iPads and MacBooks.

Users can then access their information from any internet-connected device using a log-in and password. The service secures data by encrypting it when it is sent over the web, storing it in an encrypted format when kept on server, and using secure tokens for authentication.

This means that information is protected from hackers while it is being sent to devices and stored online.

This suggests the hackers were able to obtain the login credentials of the accounts, and therefore pretend to be the user, in order to bypass this encryption.

Earlier today, The Next Web spotted code on software development site Github, that would have allowed malicious users to use "brute force" to gain an account's password on Apple iCloud, and in particular its Find my iPhone service.

A message has since appeared saying that Apple has issued a fix for the bug. "The end of the fun, Apple has just patched," read an update on the post.

Brute force, also known as "brute force cracking", is a trial-and-error method used to get plain-text passwords from encrypted data.

Just as a criminal might break into, or "crack" a safe by trying many possible combinations, a brute-force cracking attempt goes through all possible combinations of characters in sequence.

In a six-letter attack, the hacker will start at 'a' and end at '//////'

Owen Williams from The Next Web, who discovered the bug, said: "The Python script found on GitHub appears to have allowed a malicious user to repeatedly guess passwords on Apple's Find my iPhone service without alerting the user or locking out the attacker.

"Given enough patience and the apparent hole being open long enough, the attacker could use password dictionaries to guess common passwords rapidly. Many users use simple passwords that are the same across services so it's entirely possible to guess passwords using a tool like this.

"If the attacker was successful and gets a match by guessing passwords against Find my iPhone, they would be able to, in theory, use this to log into iCloud and sync the iCloud Photo Stream with another Mac or iPhone in a few minutes, again, without the attacked user's knowledge.

"We can't be sure that this is related to the leaked photos, but the timing suggests a possible correlation."

Rob Cotton, CEO at web security experts NCC Group added: "Cyber security is not just a technology problem, humans are very much key to its success. In our day-to-day work we see too many cases of employees divulging sensitive information without first verifying the legitimacy of the request.

"People often point the finger at technology when they've been the victim of a cyber attack, but poor password choices or naivety in the face of a seemingly innocent email is regularly to blame."

Human error, in a variety of ways, said Mr Cotton, often played a part.

Find My iPhone helps users locate and protect their iPhone, iPad, iPod touch, or Mac - if it's ever lost or stolen.

Despite the claims, it is possible that the photos were not taken via iCloud, but as a result of "social engineering".

This form of hacking works by studying which online services your target uses, before compiling as much information on them as possible, such as their email address, a mother's maiden name, a date of birth, and more.

This data can then be used to trick them into handing over their details or guess their password. If a celebrity uses the same password across accounts, this would be then make it relatively easy for someone to hack if they had the right information.

But the sheer number of names on the list makes this unlikely - unless a large number of hackers were taking part, and a large number of celebrities had poor password management.

Other notable services to allow users to access files remotely include Dropbox and Google Drive, which enable users to keep more of their files close to hand without taking up huge amounts of memory on their devices.

Following the publication of the photos, a spokesman for oscar winner Lawrence confirmed to MailOnline the images of her are genuine.

"This is a flagrant violation of privacy. The authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence," the emailed statement read.

MailOnline has contacted Apple for comment.

Read more: Jennifer Lawrence lays complaint over hacked nude images

- Daily Mail

© Copyright 2015, APN New Zealand Limited

Assembled by: (static) on production apcf04 at 02 Mar 2015 12:38:53 Processing Time: 592ms