Celebrity Nude Photo Scandal: iCloud Flaw Responsible?

Written by Alex Zaharov-Reutt      02/09/2014 | 14:16 | Category: CLOUD

The news that a swathe of private nude photos of celebrities has leaked across the web has caused concern over just how safe cloud services are for storing private information, with suspicion falling on weak passwords being the conduit to troves of iCloud data as well as issues with Apple's password reset service.

Celebrity Nude Photo Scandal: iCloud Flaw Responsible?
The latest nude celebrity scandal has a high tech twist: hundreds of extremely private photos of celebs such as Kirsten Dunst, Jennifer Lawrence and many others apparently stolen from iCloud accounts linked to specific Apple IDs and published on 4chan, Reddit, Twitter and elsewhere with the FBI now investigating.  

Aside from raising obvious questions over how smart and safe it is to place private information in cloud services, let alone nude photos, it has also led users to wonder whether Apple has been hacked, also due to celebrities such as Kirsten Dunst publicly tweeting a sarcastic thanks to Apple, saying "Thank you iCloud" with a picture of a slice of pizza and that famous emoticon of a smiling pile of poop. 


Click to enlarge
Just two of the celebrities caught up in the nude photo scandal.

Despite this tweet, Apple's iCloud service does not appear to be suffering any major vulnerability that is giving hackers absolutely unchecked access to user information, but there does appear to have been a seemingly minor problem hackers found a way to exploit. 

According to a report from The Next Web, an issue with Apple's "iforgot.apple.com" appears to be a possible conduit for the attack, having previously allowed hackers unlimited attempts at using the iForgot password reset service without notifying the account owner that repeated attempts at accessing accounts were happening. 

The Next Web reports this issue has now been patched by Apple, with the Apple ID being suspended after five failed password reset attempts, so further hacks cannot take place - or at least until a password has been reset. 

Whether this will end up in nuisance password resets for random Apple IDs is yet to be seen, although the maliciousness of various hackers in wanting to cause havoc cannot be discounted, and Apple may yet have more work to do to secure its online services. 

Given Apple's strong focus on customer service, quality hardware and software, and making money creating products and services people want to buy, rather than selling information and other meta data collected on its users as various search engines and social networks have been doing, it is disturbing to discover reports that Apple had not implemented any system to limit password reset attempts. 

Thus this entire episode is a major wake-up call for Apple and all other online accounts and cloud services that they are all one hack away from seriously bad news for not only the companies concerned but all their customers. 

It's also a major wake-up call to end-users to understand what their digital devices are doing with their data, and to implement extremely strong passwords that would be much tougher to crack than plain, simple passwords. 

For example, is your iPhone, Android or other smartphone automatically uploading every photo you to take iCloud, Google+ photos, OneDrive, Dropbox or elsewhere?

Do those photos contain embedded GPS location data because you haven't turned that feature off, and perhaps didn't even know it existed or was happening?

Do you have iMessages set up on an iPod Touch or iPad in addition to your iPhone, sending iMessages to those other devices automatically, letting anyone with access to those other devices see conversations in progress - especially if a password hasn't been set?

As for passwords, are you still using the same password across multiple sites? Is your password at least 10 characters long, if not longer, with a combination of upper and lower case letters, characters and numbers?

Are you using a password keeper such as 1Password or several others out there to manage the ever growing set of usernames and passwords each new online service requires?

What about the answers to your security questions? Are the answers to these questions easily discoverable by someone searching for your name online, or finding information on your social media profile? Are they answers various friends would know simply by being friends with you?

Strategies in this case include giving answers which you will know only too well, but which are completely unrelated to the question being asked, such as answering "red hot chilli pepper$" when asked "what is your mother's maiden name". 

It's also vitally important to change your passwords on a regular basis, as services such as BreachAlarm.com keep track of all the publicly leaked username and password lists showing you if your email address and password has been hacked in the past. 

As an example, when I search for my email address, which is a username for some but not all of the online services I use, BreachAlarm informs me that it appears in three different lists of hacked accounts. 

One of these was because the US company that publishes Gizmodo and related online publications famously had its user database hacked. The other two sites affected by hack events have faded from memory, but had I not changed my passwords several times over by now, various accounts I use would have been completely compromised, and my data easily stolen. 

So, with the danger of cloud services being compromised by a combination of lax security practices by online companies and weak passwords and security questions by end-users, a stark reality emerges. 

To truly be safe, you need to take your online security and passwords as seriously as you take the security of your car and home, you need discover where your gadgets are automatically sending information you may not be aware of, you need to question your online service provider's security efforts and you definitely need think twice before storing extremely private information of any type on any online service.

Finally, Apple spokesperson Natalie Kerris told tech news site Recode that "We take user privacy very seriously and are actively investigating this report".