(LiveHacking.Com) – Reports are starting to emerge that Apple has patched a weakness in its ‘Find My iPhone’ service that could have been used by hackers to steal private photos of nearly 100 Hollywood celebrities. Over the weekend an anonymous hacker posted revealing pictures of nearly 100 celebrities including Oscar-winning Hunger Games actress Jennifer Lawrence, as well as personal photos belonging to Kim Kardashian, Kate Upton, Kirsten Dunst and many others. It is thought that the hacker stole the photos from Apple’s iCloud storage system.
The breach is being linked with a new hacking tool which was recently uploaded to GitHub called “ibrute.” The tool relied on the fact that Apple did not use any brute force protection in its ‘Find My iPhone’ service API. This meant that a script (like ibrute) could be used to try and crack Apple passwords by brute force (i.e. by trying thousands of passwords in rapid succession). The ibrute tool used the top 500 passwords from the RockYou leaked passwords. The RockYou list includes passwords which satisfy Apple’s password policy.
Apple requires its users to create passwords with a minimum of 8 characters that do not contain more than 3 consecutive identical letters, and include a number, an uppercase letter, and a lowercase letter. The top passwords from the RockYou list which satisfies these conditions are: Password1, Princess1, P@ssw0rd, Passw0rd and Michael1.
iCloud is part of Apple’s ecosystem that automatically uploads photos taken with an iPhone to the cloud. From here the photos can be seen on other Apple devices owned by the account holder. iCloud also acts as a form of backup so if a device is lost or broken the photos are still available. The problem is that some people don’t realize that their photos are being sent automatically to Apple’s servers and the only thing stopping others from viewing those photos is their password, which isn’t much protection at all if the user has set a password like Password1 and so on.