Apple has patched the vulnerability in its Find My iPhone app that likely was used in the attack that led to the publication of private photos belonging to dozens of celebrities over the weekend.
The victims of the breach included actors, models and athletes such as Jennifer Lawrence and Kate Upton. The photos have appeared all over the Internet, including 4chan and various photo sharing sites. Speculation raged over the weekend about how the attack may have happened and whether Apple’s iCloud service was to blame or some other vector had been used.
A mobile security team known as HackApp posted to GitHub in the days before the breach a tool called iBrute that has the ability to take advantage of the Find My iPhobe flaw. Members of the HackApp team said they described the tool and a brute-force vulnerability in Apple’s Find My iPhone API at a local Defcon meeting in Moscow late last month. Apple has fixed the vulnerability, which allowed an attacker to try hundreds of possible passwords for a targeted account.
It’s not entirely clear that iBrute was used in the attack, but the HackApp team said in a statement that it had nothing to do with the attack on Apple’s iCloud service.
“I’m really sorry that talk given by @hackappcom and @abelenko on local @DefconRussia a group meeting (@chaos_construct event) few days ago have had such nasty consequences. And blackhat community performed such weak, cheap and ungrateful feedback,” the statement says.
“In justification I can only mention, that we only described the way HOW to hack AppleID. Stealing private “hot” data is outside of our scope of interests. We discuss such methods of hacks in our’s narrow range, just to identify all the ways how privacy can by abused. For everyone, who was involved in this incident, I want to remind, that today we are living in Brave New Global World, when privacy protection wasn’t ever so weak, and you have to consider, that all you data from “smart” devices could be accessable from internet,which is the place of anarchy, and, as result, could be source of undesirable and unfriendly activity.”
The tool released by HackApp took advantage of the fact that the Find My iPhone app, which is tied to a user’s AppleID, didn’t lock a user out after a set number of failed attempts to log in. The unnamed attackers behind the photo breach were able to target dozens of high profile users’ accounts and eventually guess their passwords using the tool and a list of common weak passwords. The FBI has said that it’s looking into the breach, as has Apple.
Apple offers a two-factor authentication option for users that could have helped protect victims against this kind of attack. The system uses verification codes sent either via SMS or through Find My iPhone, that the user must enter in order to log in to iTunes, along with a password. The notifications sent to a victim’s device during this brute-force attack would have alerted her that someone was trying to access her account. However, this option isn’t enabled by default.
Provided from: threatpost.