Cameron Diaz and Jason Segel “Sex Tape” movie may have just become a reality. An alleged breach in Apple’s iCloud service may be to blame for hundreds of leaks of private celebrity photos that happened tis weekend.
A Python script emerged on GitHub that appears to have allowed malicious users to ‘brute force’ a target account’s password on Apple’s iCloud, thanks to a vulnerability in the Find My iPhone service. Brute-force attacks consist of using a malicious script to repeatedly guess passwords in an attempt to discover the correct one.
The vulnerability which is alleged to have been discovered in the Find My iPhone service appears to have let attackers use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely.
Hackapp also posted a slideshow that details the tool, why it was created and identifies other problems in iCloud keychain’s security. We’re not able to verify all the claims in the slideshow, but the creator points out the flaws we mentioned in the slide below.
It’s unclear how long this hole was open, leaving those with simple, guessable passwords easily attacked once hackers had an email address to target. There is still no concrete evidence that these images were leaked via iCloud and may have instead been obtained via multiple attacks, though the hacker that originally leaked the images claims that they were retrieved from iCloud.
Meanwhile, The Independent reported that Apple has “refused to comment” on any security flaw in iCloud today.