Beware of scams following the celebrity nude photo news
Posted on 02 September 2014.
As the FBI confirmed that they are investigating the leaking of nude photographs (some real, some fake) of a hundred female celebrities, the hunt for the person(s?) behind it is also on online, as 4chan users are trying to ferret out the identity of the leaker.

Another thing to determine is how the photos were stolen.

Apple has patched a vulnerability in the Find My iPhone online service that could have been used to access the celebrities' iCloud accounts by brute-forcing the passwords, after a tool leveraging the flaw was published on GitHub a day before the pictures were leaked.

The tool's author said that it is very unlikely that it was used for the hack, as "it's very difficult to perform this kind of targeted attack in one day." The revelation that media outlets have been getting offers to buy the photos for weeks before the leak seems to confirm this.

But, he pointed out, it's possible that the hackers exploited the same vulnerability.

As this case unravels, Symantec's Satnam Narang warns users to be careful about Apple ID phishing and SMSishing attempts that are sure to follow the news, and about links that supposedly lead to the photos, but will actually take them to malicious spoofed websites trying to get them to install malware.

UPDATE: Andrew Jaquith, CTO and SVP Cloud Strategy at SilverSky, shared with us his opinion about the hack:

I looked at the “ibrute” code on GitHub also and concluded that this was a garden-variety brute-force attack. The code would lead you to conclude that the speculation about Apple not limiting the number of guesses when authenticating to Find My iPhone via JSON is correct. This is clearly meant to be used by applications and isn’t a browser interface screen.

More interestingly, the “fmipmobile.icloud.com” host that the ibrute code authenticated against is found in 76 other GitHub projects. Pretty much every one of these are meant to allow programmers to query the location of an iPhone. So this authentication vector was clearly well-known to the broader programming community. It just so happened that some opportunistic hackers realized that it could be used to brute-force account passwords because it didn’t have effective lockout controls.

Pulling back to 10,000 feet: we can expect that this there will be other examples like this: exploiting (1) cloud service authentication APIs — meant to be used by programmers — that (2) have security controls that are less stringent than those that are user-facing. This iCloud hack is merely the highest profile example, but one can expect opportunists to look for weaknesses in every case where a mobile app or native touches a remote cloud service. iCloud, Google Play Services, and the various mobile app stores are all fair game, as well as many others.









Spotlight

Free security software identifies cloud vulnerabilities

Posted on 21 October 2104.  |  Designed for IT and security professionals, the service gives a view of the data exchanged with partner and cloud applications beyond the network firewall. Completely passive, it runs on non-production systems, and does not require firewall changes.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Oct 21st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //