Friday, September 5, 2014

Finally the vulnerability that caused celebrities photo leak fixed

 There was a scandal on Sunday after dumping a large cache of female celebrities' alleged naked photographs onto the  online forum, an online message board used for sharing pictures. As a result of the leak, the nude photographs and videos of female celebrities are apparently being widely circulated on the internet.
After the story broke by the mainstream media, the affected celebrities including Oscar winner Jennifer Lawrence and model Kate Upton came forward to react on the matter. Within 12 hours, the web has been awash with private and some very personal photographs of celebrities.
On August 30, just a day before the massive leak, proof-of-concept code for an AppleID password bruteforce was uploaded to the GitHub by a mobile security team HackApp. What a coincident! Isn’t it?
The proof-of-concept code for the exploit is known as iBrute. The code exploited a vulnerability in Apple’s Find My iPhone application sign in page. The flaw let hackers to flood the site with multiple number of password attempts without being locked out and by using brute-force techniques, hackers could guess the password used to protect those celebrities accounts. Apple patched the vulnerability early on September 1.
Apple has acknowledged the attack, but did not address the vulnerability discussed here. The company issued a press release stating that iCloud or Find my iPhone had not been responsible for the leak of several private and personal photos of celebrities.
Rather it said that the celebrities photo breach was a "very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone."
Apple is encouraging its users to make use of its two-factor authentication service in an effort to prevent security-question based attacks on their accounts.
There is no doubt that two-factor verification makes it more difficult for hackers to obtain a user's login credentials in the first place, thereby preventing many attacks. But an iCloud backup can be installed with just a user name and a password, making two-factor authentication process incomplete.
Unfortunately, Apple’s two-factor authentication currently doesn’t protect against the kind of attack that was used in this case. It does not cover many other iCloud services, including backups. As noted by TechCrunch, the only three things two-factor secures in iCloud are:
  • Signing in to My Apple ID to manage their Apple account
  • Making iTunes, App Store, or iBookstore purchases from a new device
  • Receiving Apple ID-related support from Apple
In fact, it doesn’t make you enter a verification code if you restore a new device from an iCloud backup. And this security hole is what the hackers are taking advantage of.
Using an application like ElcomSoft's software to download an iPhone's backup successfully, one can circumvent two-factor verification mechanism, because of the fact that the two-factor authentication system does not cover iCloud backups or Photo Stream.
For users to protect against upcoming threats, follow these advices:
  • Whatever be the case with two-factor verification process, you have to enabled it because doing this will definitely add an extra layer of security to your account.
  • Try using different passwords for different accounts so that if one breached, you are not all lost.
  • Use a complex password and do not share it with anyone.
  • Same applies in case of email, use a private email for your ID — one that you don’t share with anyone.
  • Don’t click on links provided in emails, visit the given website directly from web.
  • Don’t share your personal information over social networks at any cost.
  • Most importantly, use completely incorrect or random answers to password reset questions, so that nobody could guess it right.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.