[ConservativeMind]

Full Title: "Apple Just Patched A Security Flaw In iCloud That Could've Been Used To Hack Celebrity Accounts"

Sadly, it's not known if this is what was used.

Apple is going to have a huge black eye for a long while from this. I wonder what the settlements will cost with all the actresses.

[Puppage]

I’ll, of course, have to see the photos in question in order to determine the severity of the breech.

[Mr Ramsbotham]

I can’t believe they didn’t have some kind of lockout policy. Even a ten-try maximum would be effective against brute-force; you could also establish a modest lockout duration so legitimate users could try again after a set amount of time.

[DManA]

I got an iphone last week. Coincidentally they pushed me a message that I should back it up to iCloud on friday, just before this hit.

[Izzy Dunne]

So, why do celebrities have nude photos of themselves posted to the cloud anyway?

Bob Barker and George Clooney can keep it to themselves.

[no-to-illegals]

bkm

[Ditter]

My new ipad has icloud as my new email address but I don’t have any naked pictures on it. No pictures at all. What else could happen?

[bigbob]

Must have been the “Click here to download dirty pictures of celebs” backdoor...oops I mean security flaw

[Mastador1]

What is funny to me are all the comments, if this was MS they would be slammed left and right, but since it's Apple the little darling even the negative comments are extremely mild.I think we are going to see more and more hacks against Apple because for one thing it's the challenge they desire and for another all the beautiful, special people own Apple products and the treasure trove of information is just too hard to resist.

[for-q-clinton]

Impossible. Swordmaker always said apple is perfect. Ha ha.

[Scotswife]

They are going to have to pay settlements - plus - no one is going to trust this Cloud business anymore

[Swordmaker]

Thanks for the additional Ping, Conservative. Yes, Apple did patch a flaw in The FindMyiPhone API. However, the creator of the Brute Force exploit, when contacted, had this to say about the overall issue:

"We discussed the tool with its creator, Hackapp, over Twitter, who said “This bug is common for all services which have many authentication interfaces” and that with “basic knowledge of sniffing and reversing techniques” it is “trivial” to uncover them. When asked if the method could have been used in the celebrity hack today, Hackapp said “I’ve not seen any evidence yet, but I admit that someone could use this tool.”

Reviews of the metadata from the nude celebrity photographs that have been released have found that while many were taken with Apple equipment, many were also taken with Android phones and webcams on Windows PCs, which would not be likely to be stored on Apple's iCloud.

The script does apparently implement a brute force serial attack through the FindMyiPhone API using a list of the 500 most commonly used passwords such as "password, password1, passw0rd, p@ssw0rd, p@ssword, princess, princess1, etc."

Strangely, all of Alexey Troshichev's direct articles and evidence of the script and claims have been removed from the web for some reason.

Apple has been recommending for some time that users employ a two-level authentication to avoid this exact kind of exploit.

Apple iCloud Security Ping!

If you want on or off the Mac Ping List, Freepmail me.

[martin_fierro]

[Swordmaker]

More reports on analysis of the picture sources say that a lot have “Tumblr” watermarks on them, for whatever that’s worth. Others show Android phones in the selfies as well as Apple phones. Data that shows varied sourcing. Apple has announced they are “Actively investigating IF the data could have originated from breeches of Apple customer accounts.”

[Swordmaker]

The Washington Post just put up this interesting theory by Dan Kaminsky of WhiteOps.com:

A theory offered on Twitter by security expert Dan Kaminsky, chief scientist at WhiteOps.com, is that someone who was collecting a cache of the celebrity nudes may have been hacked by the person or people who spread the images online over the weekend. If the photos were collected by a person from different sources over a long period of time, it could explain why some of the images appear to be genuine and others are allegedly fake.

That would explain the melange of photo types.