Apple investigates iCloud hackings
Apple investigates iCloud hackings
Apple has admitted it is 'actively investigating' claims that a flaw in the 'Find My iPhone' function of its iCloud service may have helped a hacker to steal nude photos of Jennifer Lawrence and '100 other celebrities'.
Nearly 24 hours after the publication of the images of Sunday night, Apple finally issued a statement, but the tech giant couldn't say how the alleged breach occurred and didn't offer any guarantee to its hundreds of millions of customers worldwide that the service is safe to use.
'We take user privacy very seriously and are actively investigating this report,' Apple spokeswoman Nat Kerris told the Mail Online.
However, despite not admitting the bug was caused by its system, the tech giant today quietly issued a 'patch', or fix, for the alleged 'Find My iPhone' bug some claim is responsible.
The hacker claims he or she broke into stars' iCloud accounts, including those of the Hunger Games actress, Kate Upton and Rihanna, before publishing them on 4chan, the image-sharing forum.
A list of the alleged victims of the hack - a staggering 101 in total - has also been posted online; most of whom have not seen any photographs leaked by the hacker.
And in a statement issued on Monday afternoon, the FBI confirmed that it had begun an investigation.
‘The FBI is aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter.
'Any further comment would be inappropriate at this time.'
Kirsten Dunst became the first celebrity to publicly criticise Apple on Monday when she posted a sarcastic message on Twitter.
The Spiderman star tweeted 'Thank you iCloud', the day after naked photos of her were published online.
Launched in October 2011, the firm's iCloud service is now used by more than 320 million people worldwide.
When activated, it automatically stores users' photos, emails, documents and other information in a 'cloud', allowing them to sync the data across a range of platforms. These include iPhones, iPads and MacBooks.
Users can then access their information from any internet-connected device using a log-in and password.
The service secures data by encrypting it when it is sent over the web, storing it in an encrypted format when kept on server, and using secure tokens for authentication.
This means that information is protected from hackers while it is being sent to devices and stored online.
A possible breach suggests hackers were able to obtain the login credentials of the accounts, and therefore pretend to be the user, in order to bypass this encryption.
Earlier today, The Next Web spotted code on software development site GitHub called iBrute, that would have allowed malicious users to use ‘brute force’ to gain an account’s password on Apple iCloud, and in particular its Find my iPhone service.
A message has since appeared saying that Apple has issued a fix for the bug. 'The end of the fun, Apple has just patched,' read an update on the post.
Brute force, also known as 'brute force cracking', is a trial-and-error method used to get plain-text passwords from encrypted data.
Just as a criminal might break into, or 'crack' a safe by trying many possible combinations, a brute-force cracking attempt goes through all possible combinations of characters in sequence.
In a six-letter attack, the hacker will start at 'a' and end at '//////'
Owen Williams from The Next Web, who discovered the bug, said: 'The Python script found on GitHub appears to have allowed a malicious user to repeatedly guess passwords on Apple's 'Find my iPhone' service without alerting the user or locking out the attacker.
'Given enough patience and the apparent hole being open long enough, the attacker could use password dictionaries to guess common passwords rapidly.
'Many users use simple passwords that are the same across services so it's entirely possible to guess passwords using a tool like this.
'If the attacker was successful and gets a match by guessing passwords against Find my iPhone, they would be able to, in theory, use this to log into iCloud and sync the iCloud Photo Stream with another Mac or iPhone in a few minutes, again, without the attacked user's knowledge.
'We can't be sure that this is related to the leaked photos, but the timing suggests a possible correlation.'
The group who first publicised the flaw, called HackApp, have apologised for it.
'I'm really sorry that talk a few days ago have had such nasty consequences,' they said in a statement.
'In justification I can only mention, that we only described the way to hack AppleID.
'Stealing private 'hot' data is outside of our scope of interests.'
Tim Barajin, a technology analyst with Creative Strategies, backed Apple's strategy and said keeping quiet was the right option.
'Once Apple understands itself what happened, they will make a comment very fast,' he told the Mail Online.
'It's an odd one, because most of the hackers out there go after ID thefts, or banking information.
'This seems more of a targeted attack on the particular celebrities.'
'The key is we don't yet know where these files were kept, they might have been in a Dropbox account or some other service.'
The presence of a Dropbox tutorial file in one hacked account suggests that the third-party cloud storage service was a source of some pictures.
'Security in the cloud is an issue generally - you have to completely trust Google, Apple and Samsung.
'Apple has some of the most powerful encryption tools out there - which is why they have almost a billion credit cards of file, and nobody had ever got hold of those.'
Rob Cotton, CEO at web security experts NCC Group added: 'Cyber security is not just a technology problem, humans are very much key to its success. In our day-to-day work we see too many cases of employees divulging sensitive information without first verifying the legitimacy of the request.
'People often point the finger at technology when they've been the victim of a cyber attack, but poor password choices or naivety in the face of a seemingly innocent email is regularly to blame.'
Human error, in a variety of ways, said Cotton, often played a part.
Find My iPhone helps users locate and protect their iPhone, iPad, iPod touch, or Mac - if it’s ever lost or stolen.
Despite the claims, it is possible that the photos were not taken via iCloud, but as a result of 'social engineering'.
This form of hacking works by studying which online services your target uses, before compiling as much information on them as possible, such as their email address, a mother's maiden name, a date of birth, and more.
This data can then be used to trick them into handing over their details or guess their password.
If a celebrity uses the same password across accounts, this would be then makes it relatively easy for someone to hack if they had the right information.
But the sheer number of names on the list makes this unlikely – unless a large number of hackers were taking part, and a large number of celebrities had poor password management.
Other notable services to allow users to access files remotely include Dropbox and Google Drive, which enable users to keep more of their files close to hand without taking up huge amounts of memory on their devices.
Following the publication of the photos, a spokesman for Oscar winner Lawrence confirmed to the Mail Online the images of her are genuine.
'This is a flagrant violation of privacy. The authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence,' the emailed statement read.
On Sunday, the hacker wrote that he or she is accepting Paypal donations for a video which allegedly shows Lawrence performing a sex act.
The hacker also wrote, 'I know no one will believe me, but I have a short Lawrence video
'Is way too short, a little over 2 minutes and you only get to see her boobs
'Anyways, if somebody wants it let me know how i can upload it anonymously (i dont want the FBI over me, and you dont wanna know how I got this video.)'
'Jennifer Lawrence' became a Twitter trend on Sunday afternoon.
Meanwhile, Perez Hilton has apologised on Twitter for posting some of the naked photos of Lawrence on his blog, saying he feels 'awful'.
The celebrity blogger, who has since deleted the photos from the site, told his followers: 'I acted in haste just to get the post up and didn't really think things through. I'm sorry.'
He added: 'Upon further reflection and just sitting with my actions, I don't feel comfortable even keeping the censored photos up. I am removing them.'
A spokesman for Kate Upton sent the Mail Online a statement from her attorney, Lawrence Shire, about the leaked photos. 'This is obviously an outrageous violation of our client Kate Upton's privacy,' the statement said.
'We intend to pursue anyone disseminating or duplicating these illegally obtained images to the fullest extent possible.'
Actress Mary Elizabeth Winstead, who confirmed she was a hacking victim, wrote on Twitter 'To those of you looking at photos I took with my husband years ago in the privacy of our home, hope you feel great about yourselves.'
She also expressed sympathy for others, tweeting: 'Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. Feeling for everyone who got hacked.'
Winstead implied she was facing difficulties on Twitter on Sunday, when she tweeted 'Great day for the block button!'
She later said she was taking a break from social media.
Twitter is shutting down accounts that are disseminating the pictures. In response to a request for comment from the Mail Online, a Twitter spokesman said: 'We do not comment on individual accounts, for privacy and security reasons,' and referred the Mail Online to the company's content boundaries web page.
Photographs that allegedly show Kaley Cuoco-Sweeting, Lea Michele, Brie Larson, Kirsten Dunst, Becca Tobin, Hope Solo, Teresa Palmer, Krysten Ritter, McKayla Maroney, Jessica Brown-Findlay, Ali Michael, and Yvonne Strahovski appeared online.
Some of the women named as alleged victims - but who have not had any of their supposedly nude photographs leaked - include Aubrey Plaza, Candice Swanepoel, Cara Delevingne, Cat Deeley, Hillary Duff, Kelly Brook, Michelle Keegan, Selena Gomez, Rihanna, Vanessa Hudgens and Farrah Abraham.
A spokesman for Keegan, the former Coronation Street actress, said there was no evidence she had been hacked and nothing had appeared online to suggest so.
A rep for Keke Palmer - who was mentioned on the list but whose allegedly 'nude' photographs were not leaked - told the Mail Online 'Obviously there is no truth to this list and no nude photos of Palmer.'
Model Gabi Grecko - also named on the list but of whom, no photographs have been published - told Daily Mail Australia: 'I feel like anything I didn't release myself that was accessed without my permission is shameful.'
'Some people are very private and maybe hugely affected and feel violated because of this. There have also been many suicides connected to non consented photos being released.'
Meanwhile, Abraham told the Mail Online: 'It is disturbing pervert behavior that should face legal consequences.'
She added she should 'not continue to give further attention' to the 'attention-seeking' move.
Not all of the nude photographs that have been published are genuine, however.
A spokesman for Ariana Grande told the Mail Online photos that claim to show her are fake. Similarly, Nickelodeon star Victoria Justice wrote on Twitter that her image was faked. She tweeted, 'These so called nudes of me are FAKE people. Let me nip this in the bud right now. *pun intended.*'
Justice retweeted a user named @JusticeCosgrove, who wrote 'GUYD [sic] WE ARE SO STUPID THE VICTORIA JUSTICE NUDES ARE FAKE, LOOK. CLEARLY AN OLD PICTURE OF HER EDITED & FLIPPED.'
@JusticeCosgrove included a selfie of Justice, alongside a portion of her face that was seen in one of the 'leaked' photographs.
Seth Rogen criticized the hacker on Twitter, writing 'Posting pics hacked from a cell phone is really no different than selling stolen merchandise.'
'I obviously am not comparing women to merchandise. Just legally speaking, it shouldn't be tolerated to repost stolen pics,' Rogen also tweeted.
A representative of Brazilian model Lisalla Montenegro said: 'regrettably Lisalla Montenegro's name is on the list of hacked celebrities. Thankfully nothing has surfaced.
'In precaution, the authorities have been informed and Lisalla's lawyer will pursue anyone duplicating or distributing these stolen images.'
A spokesman for Kelly Brook refused to comment on the hack.