An emergency update was released by Apple for Find My iPhone, removing the possibility to run an unlimited number of guesses for the iCloud password without any security-related consequences.
As its name suggests, Find My iPhone has been designed to help users track their lost iOS device and lock it. This is done through iCloud, so signing into the service is necessary to access the tracking and content protection features.
After hackers leaked the personal pictures of various female celebrities from their iCloud accounts, theories about how the deed was carried out started to emerge.
Brute-forcing their way into the accounts seems to be the most likely method used by the perpetrators, especially since it seems that the intrusions were carried out over a period of months, the data being collected gradually.
This method allows a potential attacker to enter multiple password guesses into the login field until the right one is discovered. A simple method to protect against this attack is to enable a limited number of failed login attempts.
It seems that Find My iPhone did not have this security restriction in place, which permitted the hackers to run as many guesses as they wanted until the right passcode was discovered.
With strong passwords, a brute-force operation requires both time and computer power for the correct key to be found. Weaker countersigns, on the other hand, which seem to apply in this incident, can be discovered in a matter of hours.
A brute-force tool, called iBrute, for the Find My Phone vulnerability popped up on GitHub a day before the pics started to be published on 4Chan.
Many speculated that this was used by the hackers, but the collection of photos could not have been amassed by the hackers in such short time. This suggests that they also learned of the bug some time ago and used a different brute-forcing solution to carry out their deed.
At the beginning, Apple declined any comments on the matter, but they later said that they were actively investigating the iCloud breach.
The list of celebrities allegedly affected by the hack includes over 100 names. Not the entire cache of stolen images has been leaked on public boards like 4Chan and AnonIB, as the hackers said that they would publish them gradually, also asking for donations in return.
Among the celebs affected by the incident are Jennifer Lawrence, Kate Upton, Mary Elizabeth Winstead, Yvonne Strahovski, Hope Solo, Mckayla Maroney, Ariana Grande, Victoria Justice and Kirsten Dunst.
However, the list also had on it the names of Rihanna, Selena Gomez, Mary Kate Olsen, Kaley Cuoco, Kate Bosworth, Kim Kardashian, Megan Boone, Vanessa Hudgens and Scarlett Johansson.