Privacy advocates and security experts are questioning the safety of using cloud storage websites after hundreds of sexually explicit photos of Hollywood A-list celebrities, including Oscar-winning actress Jennifer Lawrence, Kirsten Dunst and Kate Upton, were hacked reportedly from Apple iCloud.

The FBI said on Monday that it is conducting an investigation of the leaks after a number of celebrities confirmed that the photos were authentic, including Lawrence, who said through her publicist that she will seek legal prosecution against the person who originally posted her photos and anyone who attempts to redistribute them.

Apple, for its part, has finally acknowledged the issue, saying that they "take user privacy very seriously and are actively investigating this report."

This is not an admission of liability, but experts are already pointing a finger at Apple's lax security measures for iCloud. On Saturday, mobile security firm HackApp posted on GitHub the code for iBrute, a proof-of-concept tool that shows how attackers can use a brute-force technique to take advantage of the vulnerability in the Find My iPhone service, which is connected to iCloud's Photo Stream photo storage and the password manager iCloud Keychain. Brute force allows hackers to make unlimited password guesses until it chances upon the right password.

Testing conducted by Owen Williams of TheNextWeb on Monday shows that Find My iPhone locked out Williams after five attempts to enter his account with the wrong password, suggesting that Apple quietly patched the security hole after HackApp's discovery of the vulnerability.

Other security experts believe it was a deliberate, straightforward attack that could have been easily prevented using a method known as two-factor authentication. Apple offers this method to increase security for its users, and so do other major technology companies such as Google and Facebook. However, director of threat research Darien Kindlund of security firm FireEye says Apple does not go out of its way to inform its customers about this additional security step. Essentially, two-step authentication requires the user to enter a second numerical code sent to his phone number in addition to his password. Because this code changes every time a user logs in, it is much more difficult for cyber-criminals to hack into an account protected by two-step authentication.

"In general Apple has been a little late to the game in offering this kind of protection, and doesn't advertise it," says Kindlund in an interview with Re/code. "You have to dig through the support articles to find it."

This isn't the first time Apple was criticized for the lack of security in iCloud. In 2012, Wired technology writer Matt Honan found all of his digital data erased after hackers brute-forced their way to his Apple account. The incident led to Apple introducing two-factor authentication but apparently did not lead to limited login attempts until now.

"It is important for celebrities and the general public to remember that images and data no longer ju st reside on the device that captured it," says security analyst Ken Westin at Tripwire. "Although many cloud providers may encrypt the data communications between the device and the cloud, it does not mean that the image and data is encrypted when the data is at rest. If you can view the image in the cloud service, so can a hacker."

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion