Apple closed a gap in iCloud security over the holiday weekend, a gap that facilitated brute-force password breaking. The move comes in the wake of celebrity nude photos that were allegedly stolen from PhotoStream iCloud storage and distributed online. Apple issued a statement on Monday saying it was actively investigating the reports.
"We take user privacy very seriously and are actively investigating this report," an Apple spokesperson told Re/code.
In case you've had the temerity to step away from a computing device over the weekend, here's a breakdown of what's been happening:
Nude and otherwise risque photographs of Jennifer Lawrence, Ariana Grande, Mary Elizabeth Winstead, Kate Upton, and more than 100 others were posted to 4chan. The bottom feeders responsible demanded Bitcoins for a peek at the images, and BusinessInsider reported that they netted a grand total of US$95 worth of the cryptocurrency—a princely sum, as Engadget put it.
Some of the photos have been verified as real by the celebrities themselves, while others have been labeled as fakes. That effects this story only so much as it involves whether or not they were stolen from iCloud accounts, which Apple or anyone else who can has not yet verified. Mary Elizabeth Winstead, for instance, tweeted that her photographs had been deleted long ago:
Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. Feeling for everyone who got hacked.— Mary E. Winstead (@M_E_Winstead) August 31, 2014
In the meanwhile, Engadget reported on a piece of code called iBrute hosted on Github, a repository for online source code. Developed (in theory, at least) as a proof-of-concept exploit on iCloud security, iBrute allowed users to perform brute force attacks on Apple's Find My iPhone.
Brute force attacks refer to efforts to simply try one password after another until you get one that works. Because Find My iPhone allowed unlimited attempts to enter a password, it was perfectly exploitable by brute force attacks—this is a big deal and something Apple should have had right from the get-go.
It's fixed now, however, as noted by the developers of iBrute, which may or may not have been used in the celebrity photo theft in the first place. The patch notes for iBrute now say, "The end of fun, Apple have just patched."
While that's been fixed, and while we await word on whether these images came from PhotoStream in the first place, this seems a nice reminder to enable two-step authentication on your iTunes/iCloud account.
In 2013, Apple brought two-factor authentication to iTunes and iCloud, a security feature that requires users to enter a code sent to one of their own devices before allowing a new device to access their accounts or otherwise meddle with them.
I penned a primer explaining how to set it up at that time. Do it. Now.
Cloud image made with help from Shutterstock.