Apple's iCloud breach: It's not just about naked photos


While practically all of the coverage about the possible breach of iCloud has been about the disclosure of naked celebrity photos, the security issues with iCloud also pose a risk to data stored in the cloud service.

For those not familiar with iCloud, it is Apple's cloud storage and backup service that automatically backs up photos and data from iOS devices.

Hackers apparently exploited a flaw in iCloud's Find My iPhone service to gain access to the revealing photos of dozens of celebrities, including actress Jennifer Lawrence, according to an analysis by Owen Williams with The Next Web.

Williams explains that a Python script uploaded to GitHub appears to have allowed the attackers to launch brute force attacks against iCloud accounts, enabling them to eventually guess the passwords because the Find My iPhone API failed to limit the number of failed guesses.

"The vulnerability allegedly discovered in the Find My iPhone service appears to have let attackers use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely," Williams writes.

While Apple says it has patched the flaw, the script's creator, Hackapp, tells Williams that the bug is common for "all services which have many authentication interfaces" and with "basic knowledge of sniffing and reversing techniques" it is "trivial" to uncover them.

Sean Gallagher with Ars Technica warns: "Because Apple and other devices automatically upload so much to the cloud, by default--including full phone backups, which, if an account is compromised, could be downloaded by an attacker onto another device--these personal cloud services are particularly dangerous."

Gallagher adds: "Their usability in terms of content management is poor at best--does anybody really know what's sitting in Apple's or Google's data stores from their phones? This, combined with ongoing threats like carefully-crafted phishing attacks and large-volume password cracking, makes it especially hard to protect mobile data in a world where everything on your phone is already on the Internet, protected only by your login credentials."

As demonstrated by Gallagher's colleague Dan Goodin, the two-step verification process used for access to iCloud accounts does a poor job of protecting information--whether naked photos or confidential corporate data.

So BYOD users of iOS devices beware: Your naked corporate data might be the next victim of lustful cyber thieves. -Fred