Currently the rumour is that the photo leak is an underground celeb photo sharing ring, where you use photos you've hacked to get access to more photos, and isn't limited to iCloud / Apple, but who knows.
Other people getting mails from Apple saying people tried to reset your Apple ID? They tried several times just an hour ago (was not checking my mail)...
Here is another flaw in iPhone. If a person is casting their screen to an Apple TV and must enter their PIN number, the screen will highlight each button press on the TV. No fingers in the way to even block it. Simple solution: don't broadcast this or don't provide screen feedback for entering the PIN.
Not so fast. This can very well be the leak used to access the celebs nude pics.
Script kiddie gets access to the script. Tests it again some easily guessable celeb. emails (or emails he already knows somehow). Gets lucky. Gets access to many other celebrities' emails, gets even luckier. The whole thing snowballs from there.
What do you guys think?
Addendum: the way it went down on 4chan points towards someone that is not an expert on extortions. You don't go to the public for some pocket change when you can have publications or the celebs paying you hundreds of thousands of dollars for those pictures.
Anyway, I hope the FBI gets this freak and put him in the can for as long as they're able to.
I do, I think Snowden is a hero.
That does not stop me from thinking that this kind of behavior should be punished exemplarily.
This is no "new product" leak, nor a ethical hack performed to expose a hidden truth. It's just some private pictures stolen and uploaded to the internet for the public to see.
Jennifer Lawrence has all the rights to take private nude pictures of herself in the privacy of her own house. Nobody has the right to steal them, even if her iCloud password was Katniss.
Sounds plausible. And if it’s not this particular bug it may very well be some other. I find it hard to believe that someone just hacked his way into 400+ phones without any kind of glitch in the system. And judging by the fact that he went only for pictures and videos it doesn’t sound like an elaborate scam that could use high profile hacks like a fake connection antenna or something equally sophisticated.
Address books are backed up on icloud aren't they? So you get into one celeb account and it's easy from there. Use their address book to find agent/manager/publicists's info, then an endless chain of celebs from there.
The password list for this particular implementation is pretty limited. I doubt all the celebs hacked had a password on that list. The concept may well have been used with different code / pw dictionary.
So how could people use this to, for example, access people's photo's? Doesn't the two-factor authentication kick in whenever someone logs in from an untrusted device?
Two-factor authentication is optional and not enabled by default. Not sure if there is email confirmation required when logging in from an untrusted device the first time.
It'd be nice if Windows/OSX/iOS/Android came with 1Password out of the box. It's both easier to use and more secure than manual passwords, which is a rare combination.
I've found this to work pretty well in most cases, but there are some websites that don't semantically mark up their fields in a way the browser can recognize, and there's no way to manually trigger the password suggestion feature.
One of my credit cards requires a password no longer than 16 characters, no spaces, no special characters. They're only a few more restrictions away from just requiring that it be a significant birthday or something similar.
I used to have an ATM card with an 8-digit PIN. When entering the PIN, I noticed the screen would flash after the fourth digit. Subsequently, I discovered I actually only needed to enter the first four. That continued until the bank got taken over by Bank of America in 2004. Suddenly, I needed to enter the whole PIN!
I think generally all it needs is a password field.
My Thai business banking system is paranoid and disables autocomplete, paste, etc, even with the security of a physical token), but the one that really annoys me is things like Basecamp - I had to futz around and disable JavaScript for a login to be recognised and prompt to save a password - by default it does an XHR which doesn't trigger the "save password" prompt.
Hopefully apple is doing more than just fixing the code flaw, and is using logs to see which emails had brute force attempted on them and locked/reset those apple ids.
I solve the problem whit bypass iCloud activation screen lock on my iPhone from Apple . Hakers hack it !!! This bypass iCloud software is available on this page :
www.bypassicloudactivationlock.net . This is a survey page , so for downloading the tool I must compleate a survey ( I download Flash player before the tool ) . Nice job hackers. Great work ...
The bomb on Apple iOS security is here. My friend bypass the iCloud activation screen lock whit the hack tool from this page http://bypassicloudactivationlock.blogspot.com/ Look it if you have this problem - you can solve it here
The bomb on Apple iOS security is here. My friend bypass the iCloud activation screen lock whit the hack tool from this page http://bypassicloudactivationlock.blogspot.com/ Look it if you have this problem
So there is no ethical responsibility to protect the users who will be left vulnerable to this exploit? Remember the danger here is screwing people who have iCloud accounts. It's not like Julie the housewife in Minnesota, had any say in the security of Apple's products.
One problem is that if the exploit is given silently to the company, they often don't change any of their practices (even if they fix that particular exploit), and more exploits soon surface, and maybe this time by people who plan to abuse them instead of telling the company.
By going loud and public, you ensure that the company has to do something to save face. It can't just be forgotten on some manager's desk.
And the fact is, you, as part of the public, would only know about the times when somebody goes loud about an exploit. For all you know, there might have been hundreds upon hundreds of times when security researches have gone to the company and been outright ignored, and when one finally goes loud with what he has found, you say "He really should have done this more quietly, it would have been much more responsible"
According to the person who is actually leaking this pictures to popular forums, he acquired many of the pictures either by trading or buying them from the -real- hackers on one of those shady online marketplaces.
He claims the hackers got them from iCloud hacks, and other more social engineering hacks.
No it has nothing to do with it.
It's just a script exploiting the former lack of a brute force containment measure on Find My iPhone's login interface, now patched.
It's sad that there aren't legal requirements for security hardening. There are massive corporations which retain sensitive information that are low hanging fruit for script kiddies.
idk, I can imagine the recent celebrity leaks would sue Apple for allowing those pictures to be distributed. Of course, I'm sure Apple's got a clause in its iCloud T&C's that makes them deny liability.
Your typical Android phone has 2-3 built in backup options (e.g. Google+ photo backup, Google Cloud Backup, [manufacturer] backup).
So unless those are all well secured (and they may be, no clue) then moving to Android is no magical fix.
A better way of doing things is making it more clear to people what they are and aren't backing up. I'm sure for the majority of people backing up nudes is unintentional.
This whole "exploit / massive celebrity pics leak" is surreal... Is this Apple's answer to Cloud to Butt Google Chrome's extension?
That's the reason why I will never trust the cloud for personal stuff (for non-critical professional stuff is ok)... I'd only be willing to test MaidSafe, after they reach a stable release...
I don't know if this was the attack used in the hack, but it is really, really bad news for Apple. The public is not going to trust iCloud any more. I'm pretty sure Apple will drop iWallet from the keynote, or it'll end up like their maps.
Yeah, no one plays Playstation since the Sony hack.
And I bet no one shops at Target any more.
TKMaxx ceased trading right after their hack.
Linked In is a thing of the past.
"End up like their maps," meaning frequently used by the vast majority of iDevice owners?
I'm no fan of Apple Maps. I pretty much only use it when I have to (e.g. because Find My Friends uses it) or to make fun of it. But there are a ton of people who don't care and just use the default. Even among my tech-savvy programmer friends it's common.
