It seems the attack vector is not as I described below. Seems its likely reset questions were hacked.
This labor day weekend, 2014, the “kiddies” of the internet had a little fun at the expense of celebrities. It’s a serious matter of digital theft; the online accounts of nearly a dozen attractive female celebrities was compromised and all their stored photos copied and shared online. The sad thing is this kind of digital theft happens every day…24 / 7! There are flaws all over the internet and many dedicated online criminals looking to profit from that information.
News of the hack was first reported on Buzzfeed here. It quickly spread on Twitter and other tech news sites like The Verge. So whats the back story? Simply these celebrities had their iCloud/iTunes password guessed. They likely had very easy/popular password and were easy targets. But how?…so lets dive into the details for everyone to understand…
When you log into a website your web browser encrypts and sends your username and password to the website you are logging into. Dropbox is an online storage service that also has an App for your Android or iOS device. So it can store all your pictures as a backup so you don’t loose any in case your phone is lost or damaged. iCloud has a built in service called Photostream that copies your last 1000 photos from your iPhone to your iPad and Mac/PC. All your info available everywhere you want it to be. That’s the promise of the cloud. It also leaves profitable information (bank, tax, business docs) available for digital theft. As in the case of the celebs, lots of selfies.
In this particular case not only did the accounts that were compromised have weak passwords, there was a flaw in one of the backend iCloud services. Apps communicate with web servers via dedicated communications channels called Application Programming Interfaces. APIs as they are known allow many developers or apps to contact a service using the same programming language. In this case, the Find my iPhone application and service simply allowed unlimited tries at a username/password combination. So what you say? They won’t guess my password. Well a human isn’t sitting at their computer typing passwords all day. They write a program to automate it. And if they are smart they write it in a way to check slowly as not to trip network detection on the side of the servers. With the API not preventing anymore guesses after 10 or so incorrect password entries the thieves were able to try passwords their hearts content until they were able to get into an account.
Freely available was the code on how to execute this hack with some instructions and details:
It uses Find My Iphone service API, where bruteforce protection was not implemented. Password list was generated from top 500 RockYou leaked passwords, which satisfy appleID password policy. Before you start, make sure it’s not illegal in your country.
Be good 🙂
Be Good…ha! So as I guessed rightly when the news broke, the hackers used a password list from other, previously compromised websites. A list of the top 500 passwords was provided to get you started. You can easily source a list of 10,000; 100,000 or millions of passwords from the internet. All from many previous website hacks. This is also why you shouldn’t (and we never listen) reuse passwords on different websites. Once one website is hacked and the usernames and passwords stolen then they are tools to attack other websites and services.
Lets protect ourselves. Please generate a random password for each website and online accounts. One good website for random passwords is at GRC.com. That site is run by Steve Gibson who is a well known security researcher and podcaster. I highly recommend using a password manager such as LastPass or 1Password.