iBrute was simply a proof of concept - that didn’t mean other implementations didn’t exist secretly for months prior to the leaking. There have been no independent investigation results released dealing with the hacking that I can find. Only vague assumptions about how it could have been done - even from Apple. That Apple’s own internal investigation says “it wasn’t our fault!” means nothing, unless you also believe the current presidential administration when they say the same thing.
In fact, leaks show that Apple knew about the exploit 6 months prior to the release of photos, and did nothing about it:
http://www.dailydot.com/technology/apple-icloud-brute-force-attack-march/
“Analysis of the photos showed that many, in fact most, of the celebrity pictures were never on iCloud and had metadata that showed they came from Windows computers, Android phones, regular digital cameras (and some even digitized from film cameras images), movie clips, and other sources, which would not have been uploaded to iCloud from an Apple device.”
Link to this analysis? I’ve been unable to find anything of the sort.
I can’t tell if you’re unwilling to admit Apple was at fault, or simply unable. You have literally no evidence for any of your assertions, only your faith.
“iBrute would not have worked on iCloud except on those two words.”
Again, iBrute was a proof of concept. If a system allows you to guess passwords infinitely (as Apple’s system apparently did, through FindMyiPhone), a brute force method will always, eventually, work. Every CISSP knows this.
No, you are arguing with "facts" not at all in evidence and if such an exploit was in the wild it would be known. It simply was not. iBrute was the only one for this vulnerability and iBrute used the 500 most common passwords which was coded into it to link to it. In fact the testers had to add their passwords into that dictionary for it to be able break into their own accounts.
There have been independent investigations released and I am not going to repeat what was released again here to satisfy you. . . and they were not "vague assumptions" but factual conclusions.
I posted that artlcle you linked to in March of 2014, which was not related at that time with "FindMyiPhone" but with merely logging on to Apple accounts. In fact, Apple DID fix that vulnerability that Ibraham Balic wrote to them about shortly after being notified, and Apple gave him credit for finding it. Just because an email that The Daily Dot acquired mentions something similar does not mean it is the same vulnerability. Apple closed all of those vulnerabilities quickly after that, but missed the fact that FindMyiPhone somehow was not included in the fix. That was Apple's bad.
However, Echo4C, the FindMyiPhone vulnerability was NOT the source of the celebrity photos.
The facts are that the FindMyiPhone flaw was discovered only two days before the release of iBrute (which is a very simple script exploit) and as I mentioned the "fappenening" offer of the celebrity nudes were already being offered for sale on 4Chan.com and Reddit.com for three to four weeks BEFORE the discovery of the flaw in FindMyiPhone and the release of iBrute. That is a fact. Now add that the investigations, discoveries, revelations, and complaints from he people who HAD purchased the photos revealed on 4chan and reddit afterwards about the photos' real sources gained from examining the photos' metadata make it plain the majority did not come from Apple's iCloud. The seller also finally admitted he had not really "hacked" iCloud. . . but was merely selling his collection of several years from which he had been buying and trading with other members of a clandestine group of similar sellers and traders in a private newsgroup.
The FindMyiPhone vulnerability did exist and was revealed publicly on a Friday morning, but closed quickly by Apple by Tuesday. iBrute was released on Saturday evening to early Sunday morning, depending on where in the US you live. The "Fappening" hit the news on Monday after the seller announced he'd "hacked" Apple's "un-hackable" iCloud to steal the photos. It is a truism that if you add Apple to any headline, you will gain attention. He did.
I pointed out in my coverage that while the vulnerability existed, the time frames didn't work for the theft of the celebrity photos to be true. The download times did not jibe with the discovery times and the announcements. It just did not make sense. The seller would have to have a lot more resources at his beck and call than would be normally available to even start attempting it for what he seemed to be.
I explained that while the ability to try passwords did not cut out after five attempts as it did on all other log-in attempts on other Apple account log-ins, each attempt required a new log into the entire process and you have to know the user's Apple ID to even begin. Each time to even start, that ID has to be re-entered in a browser, and then a new passcode has to be attempted. . . and then you are taken back to square one if it fails to start over. It is not a quick process. Automating it cannot speed up the process by much because of the speed of the internet is the limiting factor. Apple also included an increasing time delay between each attempt. Therefore a high velocity brute force system cannot try multiple passwords as rapidly and takes much longer than you might think.
There are 223 characters accessible from the Apple keyboard and all of them are permitted in a password. An AppleID password can be 8 to as long as 256 characters. . . but lets just limit it to 8 characters. It must included at least one upper and one lower case letter, one number, and one keyboard accessible symbol, and it cannot have more than three consecutive identical characters. The potential number of passcodes is 8223 = 2.44944165532867 X 10201 possible passcodes. That number is astronomical. If we were to just limit it to upper and lower case letters and numbers, the number is 9.80797146154169 X 1055, but that is not Apple's requirement. No brute force method can possibly break into a passcode with that many possibilities using a dictionary means. . . they'd have to be extremely lucky to even get ONE in a weekend, much less hundreds of random celebrities, AND download thousands of nude photos.
I provided links at that time and I am not interested in searching all that out again.
Fixing the FindMyiPhone vulnerability was not a device level vulnerability or problem. It was a problem at the server level and involved only changing the code at the server to include the same code already being used for log-in for all other account access to iCloud. Problem solved.
iBrute was not a "proof of concept" but was actually released into the wild. Proof of concept exploits are sent to computer security companies or shown at white hat conferences. This was not. . . it was immediately made available for anyone to use. Sorry. You are just wrong on this.
As part of that coverage, I did the analysis of the passcodes in the dictionary that iBrute linked to and posted the results on Freerepublic. Twenty-two of the 500 most commonly used passwords were long enough and included numbers and only two of those included numbers and a symbol. That was all that met Apple's requirements to be accepted as a legitimate iCloud passcode. However, in the linked dictionary were two passcodes completely unlike all the rest of the passcodes in the dictionary (I cited both in my coverage). . . those that were the passwords apparently owned and tested by the author and his tester that they obviously added so that iBrute would work on their iCloud accounts.
The fact is, that some of the celebrities photos did indeed come from iCloud. . . but everyone of them had their iCloud passwords changed so that a hacker could get access. The hacker did NOT get access through a brute force trial-and-error attempt. Instead they broke in by answering the celebrities' too easy to answer self-selected security questions. Questions such as "What was the name of the elementary school you attended in third grade?" are facts that almost impossible to determine for John and Jane Doe nobodies, but for a celebrity, that data is easily learned from the biographies generally published in fanzines. The same for such questions as "What was the name of your first pet?" That's covered in the bio, too. The group that steals these photos stated they use this technique to get into celebrity accounts all the time. . . and that they also befriend the celebrities to gain the knowledge to do it. This was all uncovered in the investigation.
The records at Apple showed that the compromised celebrity accounts ALL had their passwords CHANGED by use of "I forgot my password" and the use of the "security question" means of password changing. The celebrity had to change them back, and frequently had to have help to do that because the hacker changed their security questions as well as the password!