1 Sep 2014

Apple patches security hole after explicit celeb photo leak

Apple updates its security measures after reports that a hacker who leaked hundreds of explicit images of celebrities may have exploited a weakness in its system.

The hacker who posted online hundreds of explicit stolen images of celebrities including Jennifer Lawrence may have exploited flaws in Apple’s security mechanism that were revealed on Saturday.

Apple’s iCloud system, which backs up users’ information online, may have been compromised by hackers using a piece of computer code that enables them to make hundreds of attempts to guess a user’s password.

The computer code or script works by trying the most common 500 passwords, enabling a hacker to “brute force” their way into a range of accounts.

Apple has now updated its system to allow only five attempts to guess a password using this method before a user’s “Apple ID” is disabled, to prevent such an attack in the future.

“The end of the fun, Apple has just patched”, read an update posted online by the writers of the code.

Apple is yet to comment on whether it was this particular exploit that led the technology giant to issue an update.

Read more: You don't have to be a nude celebrity to be caught under a 'dark cloud'

Python attack

Owen Williams from technology site The Next Web, discovered the bug and told the Press Association: “The Python script found on GitHub appears to have allowed a malicious user to repeatedly guess passwords on Apple’s ‘Find my iPhone’ service without alerting the user or locking out the attacker.

“If the attacker was successful and gets a match by guessing passwords against Find my iPhone, they would be able to, in theory, use this to log into iCloud and sync the iCloud Photo Stream with another Mac or iPhone in a few minutes, again, without the attacked user’s knowledge.

“We can’t be sure that this is related to the leaked photos, but the timing suggests a possible correlation.”

Some users on social media said that they had tested the computer code themselves and managed to use it to break in to their own Apple iCloud accounts.

Technology experts have recommended that users where possible enable two-step verification, in which users use both a password and a code sent to their mobile phone to log-in to their accounts to avoid password-based hacks.

While a number of the explicit images leak were found to be fakes, actress Mary Elizabeth Winstead, who starred in A Good Day to Die Hard, acknowledged on Twitter that pictures in which she is featured are genuine.

She tweeted: “To those of you looking at photos I took with my husband years ago in the privacy of our home, hope you feel great about yourselves.”