As the FBI confirmed that they are investigating the leaking of nude photographs (some real, some fake) of a hundred female celebrities, the hunt for the person(s?) behind it is also on online, as 4chan users are trying to ferret out the identity of the leaker.
Another thing to determine is how the photos were stolen.
Apple has patched a vulnerability in the Find My iPhone online service that could have been used to access the celebrities’ iCloud accounts by brute-forcing the passwords, after a tool leveraging the flaw was published on GitHub a day before the pictures were leaked.
The tool’s author said that it is very unlikely that it was used for the hack, as “it’s very difficult to perform this kind of targeted attack in one day.” The revelation that media outlets have been getting offers to buy the photos for weeks before the leak seems to confirm this.
But, he pointed out, it’s possible that the hackers exploited the same vulnerability.
As this case unravels, Symantec’s Satnam Narang warns users to be careful about Apple ID phishing and SMSishing attempts that are sure to follow the news, and about links that supposedly lead to the photos, but will actually take them to malicious spoofed websites trying to get them to install malware.
UPDATE: Andrew Jaquith, CTO and SVP Cloud Strategy at SilverSky, shared with us his opinion about the hack:
I looked at the “ibrute” code on GitHub also and concluded that this was a garden-variety brute-force attack. The code would lead you to conclude that the speculation about Apple not limiting the number of guesses when authenticating to Find My iPhone via JSON is correct. This is clearly meant to be used by applications and isn’t a browser interface screen.
More interestingly, the “fmipmobile.icloud.com” host that the ibrute code authenticated against is found in 76 other GitHub projects. Pretty much every one of these are meant to allow programmers to query the location of an iPhone. So this authentication vector was clearly well-known to the broader programming community. It just so happened that some opportunistic hackers realized that it could be used to brute-force account passwords because it didn’t have effective lockout controls.
Pulling back to 10,000 feet: we can expect that this there will be other examples like this: exploiting (1) cloud service authentication APIs — meant to be used by programmers — that (2) have security controls that are less stringent than those that are user-facing. This iCloud hack is merely the highest profile example, but one can expect opportunists to look for weaknesses in every case where a mobile app or native touches a remote cloud service. iCloud, Google Play Services, and the various mobile app stores are all fair game, as well as many others.