By CHRISTOPHER PAPLHAM
On August 30, hundreds of celebrities’ personal photos, many of them nudes, rapidly spread throughout the Internet via forums and photo sharing sites like 4chan. Many of the victims were understandably upset at the release of what were clearly photos they had no intention of releasing.
The source of the breach was quickly traced to iCloud, a cloud data-storage site operated by Apple Inc. As a result, many consumers were concerned about the security of the iCloud storage site — an attack that can retrieve such a large quantity of sensitive, personal data exhibits massive flaws in Apple’s security.
Needless to say, Apple unsurprisingly denied that its system was the cause of the breach. Apple prides itself on producing less vulnerable systems than Microsoft (MS) Windows, even to the point of popular myths that Apple’s computers have no viruses. Apple’s own website claims that OS X Mavericks (their current operating system) is designed “with advanced technologies that work together to constantly monitor, encrypt, update — and ultimately keep your Mac safer.”
Though Apple’s OS has fewer viruses than MS Windows, the comparison is misleading without additional information only because macs make up less than 10% of the computer market share, according to MondayNote.com. Malicious hackers have more incentive to target Microsoft and other companies with greater market share than Apple, leading to fewer discovered vulnerabilities for Apple OS.
Apple claims that it was not the cause of the breach — rather the breach had come about as a result of targeted attacks, such as “spear phishing,” an attack which aims to coerce a user into providing credentials via email or a website that appears legitimate but is actually malicious. Additionally, Apple states that the security questions of some celebrities were correctly guessed; after all, thanks to their popularity, celebrities have easily accessible “personal” information, such as the names of their favorite movies or their first dogs.
Regardless of whether social engineering attacks were used, Apple is most likely at fault. A flaw in Apple’s Find My iPhone app allowed hackers to “brute force” — try every possible password from a dictionary of common possible passwords — user’s iCloud passwords. The vulnerability was not removed until soon after the celebrities’ photos were released online.
Apple has publicly claimed that after having performed a 40-hour investigation into the breach, no evidence was found that proved that this vulnerability, or any other vulnerability in any of Apple’s services or iCloud, was exploited to gain access to the photos. It isn’t likely that we’ll receive any additional information from Apple anytime soon, but from the amount of the accounts compromised, there may more be to the breach than is being publicly stated.