Novice mistake may have been the cause of the iCloud naked celebrities hack

Novice mistake may have been the cause of the iCloud naked celebrities hack
The way in is simple. Credit: chipsillesa, CC BY-NC-ND

The investigation of the hack that gave the world access to hundreds of nude celebrity pictures identified another massive gap in online security. Given Apple's reputation of being among the more secure tech companies, this puts them in a tight spot. Also, the ramifications of the security weakness for other companies are quite serious, as more and more people use cloud services to store their data.

The compromise seems to have nothing to do with Apple's iCloud or associated backup system. Instead, as part of the investigation of the activity, researchers discovered a weakness around the Find My iPhone app. It uncovered a major weakness in the design of the app, and can be seen as a novice mistake in setting up the security of the Cloud infrastructure.

Most login systems lock out a user after a certain number of tries at remembering (or guessing) a password. This guards against a hacker trying out a few passwords which might fit. But it seems that Find My iPhone didn't have an automatic lock-out feature. This could allow hackers to use automated tools which will try many permutations and combinations for usernames and password, and eventually find the right one.

Such tools are numerous. For instance, Hydra reads from lists of common names. It is programmed such that it can talk to most types of systems on the internet. Hydra can then blast the login system with millions of credentials. If the user has used weak passwords, it can quickly get a successful login.

The Apple authentication system failed perhaps because it focused on improved usability, where users typically forget their password, and then continually try to remember the right one. If the users themselves kept getting locked out, it can be a significant drain on support where a human operator is needed to verify the user and reset the system.

Overall the authentication system failed in this case to provide a lock-out mechanism for the scanning for usernames and passwords, and it should have had in place:

  • A lock-out on a certain number of tries.
  • A network detection system setup to detect multiple logins against a single account. While it is likely that Apple have this in-place, it requires a complex infrastructure built around listening agents on the network (known commonly as IDSs - Intrusion Detection Systems).
  • A "human" challenge to stop automated bots from trying the multiple usernames or passwords (such as with Captcha).

The problem often comes down to developers quickly producing a solution to get it online, but forgetting to give security matters enough consideration. In this case, it was a novice problem, which was discovered by others, and most system administrators would advise that a lock-out system works best.

In many cases a lock-out after three attempts is used, but perhaps with typing problems in mobile phones that this value is too low, but it should at least be set at a level which protects the user. The balance between usability and security is tricky, but its the job of any tech company to find an optimal solution. Apple must learn from this public relations disaster.

Explore further

Apple ramps up iCloud defense against hackers

This story is published courtesy of The Conversation (under Creative Commons-Attribution/No derivatives).
The Conversation

Citation: Novice mistake may have been the cause of the iCloud naked celebrities hack (2014, September 5) retrieved 19 October 2019 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Feedback to editors

User comments

Sep 05, 2014
Is not the security here to require increasing long gaps between new tries? This was not a "novice" mistake--the error is so gross that legally it goes into criminal negligence--not putting on the wrong locks where one is expected but no locks.

Sep 05, 2014
apples iCloud accepted credentials from a grossly defective apple login portal

irresponsibility adds insult to the damage

Sep 05, 2014
caveats : that's if and for those accounts cracked with iBrute

for password resets , a tip . use an unrelated answer to these commonly asked security questions .
Q: mothers maiden name ? Mt.Kilaminjaro
Q: brand of first car ? scoobydoo

Sep 06, 2014
@Squirrel, @RhoidSlayer I agree with both of your statements.

I used to give Apple a pass in books because thier products made a small portion of people I knew happy.

But I can't forgive them for this... It offends me as a programmer because I know how little effort it takes to prevent this horrendous breech of privacy.

Sep 06, 2014
I wish the lesson we learned from this is that passwords are a wretched, egregious form of authentication. As expensive and painful as it might be, that we might resolve to adopt a more secure authentication model.

Everybody and his brother thinks he has a better way to increase entropy. Or stymie brute-forces.I have pessimistic faith, however, that hackers have a better understanding of the problem.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more