By Jef Cozza / CIO Today. Updated September 02, 2014.
Nude photos, videos, and personal files belonging to actress Jennifer Lawrence and other Hollywood celebrities were stolen from Apple’s iCloud storage service and released on the Internet on Sunday.
The images of Lawrence, singer Rihanna, actress Lea Michele and model Kate Upton were released on the online message board 4chan. Private photos of up to 100 other celebrities may have been stolen from iCloud, according to reports.
Hack Type Still a Mystery
Although it is still unclear how the hacker managed to break into personal iCloud accounts, the attack may have exploited a bug known as iBrute, a Python script in Apple’s Find My iPhone service. The bug had been posted on GitHub, a code-sharing Web site a few days before the attack. Find My iPhone allows users to track the location of lost or stolen handsets and disable them remotely.
The bug allowed hackers to use a Python script to try an infinite number of passwords until hitting the right one, a type of hack known as a “brute force” attack. Typically, Web sites and other services lock down an account after too many failed attempts to prevent such an attack from succeeding.
Alternatively, the attack may have involved a “phishing” expedition, in which individuals are tricked into sharing their passwords themselves. Typically, a phishing attack involves an e-mail purporting to be a legitimate request from a company, Apple in this case, for the user to enter his authentication details.
Even though the identity of the individual or group responsible for the hack is unknown, that person or persons could face serious jail time if discovered. In 2012, hacker Christopher Chaney was sentenced to 10 years in prison for stealing and leaking photos of Mila Kunis and Scarlett Johansson from their private accounts. Lawrence has said through her publicist that she intends to push for a criminal investigation into the leaks. Both the FBI and Apple have said they are investigating the attack.
Bad Timing for Apple
The news comes just one week before Apple’s special media event promoting its new iPhone. The development could be a public relations nightmare for the tech giant that was looking to hype the new iPhone’s rumored near field communication technology, which would allow customers to use their iPhone handsets to make physical purchases. That functionality may be much less attractive in the light of iCloud’s security issues, even though iCloud would not likely be a component in the new payment system.
The attack has certainly done the cloud storage service no favors in terms of celebrity endorsements, with actress Kirsten Dunst tweeting “Thank you iCloud” and an obscene emoji to convey her disapproval of the service.
One victim, actress Mary Elizabeth Winstead, confirmed that the photos were indeed real. Winstead said she believed she had deleted at least some of the photos several years ago, suggesting the hacker was able to access archived or backup copies of at least some of the stolen photos. Apple said it has since closed the security flaw that allowed hackers to download the photos.
Some users may have even been completely unaware they were backing up their photos to iCloud. Copies of pictures taken with iPhones or other devices are automatically stored on iCloud if users enable the Photo Stream service on their phones. Deleting a photo from the Camera Roll on the phone does not remove the backup on iCloud. Users would have to also delete the images from Photo Stream to make sure they are removed from iCloud.