Saturday , 20 January 2018
Home » NEWS » EDITOR’S NEWS » Password guessing malware blamed for nude celeb photo leak

Password guessing malware blamed for nude celeb photo leak

Malware which uses brute force tactics to try and gain access to user accounts has been blamed for the leaking of nude celebrity photos.

 

According to The Next Web, intimate photos of actresses and singers were posted on the forum 4chan. Later, it reported that a piece of code was posted to code development website GitHub which repeatedly guesses passwords for the ‘Find my iPhone’ feature, using the 500 most common passwords approved by Apple.

 

Apple has since issued a patch for the bug, but it is suspected that use of common or weak passwords by celebrities including Ariana Grande, Jennifer Lawrence and Mary Elizabeth Winstead was the reason behind the hack. The photos were taken from their personal iCloud storage.

 

The script author Hackapp told the website that the bug is common for all services which have many authentication interfaces and that, with basic knowledge of sniffing and reversing techniques, it is “trivial” to uncover them.

 

When asked if the method could have been used in the celebrity hacking, Hackapp said “I’ve not seen any evidence yet, but I admit that someone could use this tool.”

 

Trend Micro vice president of security research Rik Ferguson, told IT Security Guru that it is certainly possible to script a brute force attack against any service, and this is something for which many tools already exist.

 

“However, I would expect good services to have rate limiting and lockout in place to combat this, but from simply playing with the web front end of the iCloud website it seems pretty clear these are not in place,” he said.

 

Stefano Ortolani, security researcher at Kaspersky Lab, commented that the security of a cloud service depends on the provider, but as soon as you hand over any data (including photos) to a third-party service, you need to be aware that you automatically lose some control of it.

 

“In order to make your private data more secure, you should cherry-pick the data you store in the cloud and know (and control) when the data is set to automatically leave your device,” he said.

 

“For instance, in iCloud there is a feature called “My Photo Stream” which uploads new photos to the cloud as soon as the device is connected to Wi-Fi; this is to keep photos synchronised across all your devices. Disabling this option might be a good starting point to be a bit more in control.”

About Dan Raywood

Dan Raywood is the editor in chief of the IT Security Guru. A journalist with more than 13 years experience, Dan has been at the forefront of the information security industry.

As the news editor of SC Magazine he covered breaking stories such as Stuxnet, Flame and Conficker and the online hacktivist campaigns of Anonymous and LulzSec, and broke the news on the EU’s mandatory data breach disclosure law and a vulnerability which affected more than 200 sites.

Contact Dan on dan@itsecurityguru.org, by phone on 0207 1832 839