“The original leaker behind the celebrity photos claimed that they accessed the images using the iCloud accounts of various celebrities,” Cook reports. “It’s unlikely that someone has broken into Apple’s iCloud service. Instead the photos most likely emerged due to a type of hacking known as “social engineering.” This exploit works by learning which online services your target uses, and then compiling as much data on them as possible before using that data to either spoof access, or to simply use their email address and a guessed password to log in to their account.”
“Despite the original leaker claiming to have accessed the trove of photos thanks to an iCloud exploit, the range of devices showcased suggests that another service may have been to blame,” Cook reports. “Various naked celebrities are photographed taking selfies with Android devices and webcams. Leaked videos could not have originated from the iCloud photo backup service. The range of devices and media may mean that another backup service like Dropbox or Google Drive could be the originator of the leaked photos, with both services offering automatic backup tools for photos and videos imported from cellphones.”
Many more possibilities for how these celebs photos and videos leaked in full article here.
“The most headline-grabbing possibility for the source of the photos – a full-on frontal-assault ground-up hack of Apple’s iCloud service – is also the least likely. Large companies like Apple have dedicated in-house security teams who attempt to break into their own systems regularly,” Charles Arthur reports for The Guardian. “‘A wide scale ‘hack’ of Apple’s iCloud is unlikely. Even the original poster is not claiming that,’ noted Rik Ferguson, vice-president of security research at Trend Micro.”
“As with the many celebrity hacks (and daily hacks that affect less famous people), the simpler and more likely explanation is the leak of an email and password combination, either through guesswork or “phishing”, when users are fooled by authentic-looking sites into entering their login details, which are then used against them,” Arthur reports. “Ferguson suggests that the hacker may have used the “forgot password” link on Apple’s iCloud system after gathering the celebrities’ email addresses – perhaps from the address book of another hacked device. Alternatively, the stars used the same password on multiple services, which were captured through that.”
Read more in the full article here.
“On Monday, a Python script emerged on GitHub (which we’re not linking to as there is evidence a fix by Apple is not fully rolled out) that appears to have allowed malicious users to ‘brute force’ a target account’s password on Apple’s iCloud, thanks to a vulnerability in the Find My iPhone service,” Owen Williams reports for The Next Web. “Brute-force attacks consist of using a malicious script to repeatedly guess passwords in an attempt to discover the correct one.”
“The vulnerability allegedly discovered in the Find My iPhone service appears to have let attackers use this method to guess passwords repeatedly without any sort of lockout or alert to the target,” Williams reports. “Users on Twitter were able to use the tool from GitHub — which was published for two days before being shared to Hacker News — to access their own accounts before it seems Apple patched the hole today. The owner of the tool noticed it was patched at 3:20am PT.”
Read more in the full article here.
MacDailyNews Note: The problem is that too many people use one password for multiple services. The hackers guess it right once and than have access to all sorts of things: cloud storage, bank accounts, twitter, email, etc.
Regardless of the origination of these photo and videos, social engineering hacks can be thwarted, at least for iCloud. Use two-step verification for Apple ID to keep your personal information as secure as possible. More info here.