Apple iCloud password reset could have let hackers in with ONLY an email address


comments

Hackers could have gained access to celebrity iCloud accounts using just an email address and a search engine, it has been claimed.

Apple's password reset system for accounts has become the latest target in the hunt to find out how nude photos of Jennifer Lawrence and '100 other celebrities' were leaked.

it allows people to reset a password by answering two security questions - the answers to which can often be found online for celebrity users.

Scroll down for video 

Apple's online system for resetting iCloud passwords has come under scrutiny for its part in the hacking case.

Apple's online system for resetting iCloud passwords has come under scrutiny for its part in the hacking case.

HOW TO PROTECT YOUR ACCOUNT

Experts say worried consumers should turn on two-step verification for their iCloud account.

The tool prevents people accessing accounts - even if they have the password.

To set up two-step verification, go to My Apple ID.Select Manage your Apple ID and sign in, then select Password and Security.

Under Two-Step Verification, select Get Started and follow the onscreen instructions.

When a user sets up two-step verification, they register one or more trusted devices.

A trusted device is one that can receive 4-digit verification codes using either SMS or Find My iPhone. 

Apple has admitted it is 'actively investigating' claims a flaw in the 'Find My iPhone' function of its iCloud service may have helped a hacker to steal the photos.

Today it emerged hackers may also have used the service's password reset function to gain access to accounts.

This allows users to reset their password by entering their username, date of birth and correctly answering two security questions.

Experts say this information should be relatively easy to find for celebrities.

Apple does email users to tell them their password has been changed. 

However, on the AnonIB hacking messageboard, those who say they have used the method claim that it's often best to reset the password at night so that the password reset email can be read and deleted before the target is awake. 

Rich Mogull, a security expert with Securosis, warned celebrities not to use the real answers to these questions as hackers would be able to find many of the answers online.

'The key is not to put the real answers to these questions,' he told MailOnline.

The reset system allows those who have forgotten their password to reset it by answering a series of questions.

The reset system allows those who have forgotten their password to reset it by answering a series of questions.

Users are asked to first confirm their date of birth - which is straightforward to find online

Users are asked to first confirm their date of birth - which is straightforward to find online

They are then offered two options - to change their password using email authentication or by answering security questions

They are then offered two options - to change their password using email authentication or by answering security questions

The system then asks users two question to copmplete the process and allow them to reset their password

Users are then asked to answer two security questions, which range from their first car to their favourite job, which were set up when they signed up for the account.

WAS IBRUTE TO BLAME?

Code on software development site Github called iBrute, would have allowed malicious users to use 'brute force' to gain an account's password on Apple iCloud, and in particular its Find my iPhone service.

Apple has since issued a fix for the bug. 

'The end of the fun, Apple has just patched,' read an update on the post.

Brute force, also known as 'brute force cracking', is a trial-and-error method used to get plain-text passwords from encrypted data.

Just as a criminal might break into, or 'crack' a safe by trying many possible combinations, a brute-force cracking attempt goes through all possible combinations of characters in sequence.In a six-letter attack.

'Many users use simple passwords that are the same across services so it's entirely possible to guess passwords using a tool like this,' said Owen Williams form The Next Web.

Mogull, who admitted hackers had tried to access his account, warned that it was still unclear exactly what happened.

'We don't know what happened yet, and In the security world, you need all the facts.'

He also believed consumers were likely to stay with the firm despite the breaches.

'Historically we don't see a mass exodus from breaches, consumers don't seem to change their behaviour.

'There's a lot of historical precedent here - and this is just a first strike for Apple.

'It does appear that there was a flaw in iCloud - and we need to hear from Apple what the problem was, and what they are going to do to make it better,'

Experts believe the breadth of the celebrities affected could be down to a 'chain effect' - once one celebrities phonebook was accessed, it could lead to dozens more.

Security consultant Graham Cluley told MailOnline: 'For these attacks to work, you also need email addresses of target.

'But what we have seen is that hackers can access address books - and this would have helped the hackers.'

Clulely also believes the 'reset password' system may have been used.

'It certainly possible that people would have used this,' he said.

'In the case of celebrities, these secret questions are very easy to find online - either in Wikipedia or by searching through some interviews.' 

Dropbox requires users to respond to an email sent to their address to reset a password

Dropbox requires users to respond to an email sent to their address to reset a password

Apple has only issued one statement, last night, on the attacks.

'We take user privacy very seriously and are actively investigating this report,' Apple spokeswoman Nat Kerris told MailOnline. 

Cluley said that anger was growing at Apple among iCloud users. 

'Even though we don't know exactly what happened, the feeling is growing that Apple wasn't doing enough to stop this,' he said.

However, Cluley believes customers will stick with Apple.

'I don't think we'll see a mass exodus - people's memory are very short. 

Jeffifer Lawrence and model Cara Delevingne are among those hit by the leaks so far

Jeffifer Lawrence and model Cara Delevingne are among those hit by the leaks so far

'Apple is about to announce a new iPhone, and people will use iCloud to move their data do it, because it's such a simple process. 

The hacker claims he or she broke into stars' iCloud accounts, including those of the Hunger Games actress, Kate Upton and Rihanna, before publishing them on 4chan, the image-sharing forum.

A list of the alleged victims of the hack - a staggering 101 in total - has also been posted online; most of whom have not seen any photographs leaked by the hacker.

Cluley said he thought 'more leaks are to come'. 

Experts also think a flaw in Apple's Find my Phone was used for some of the hacks. 

However, despite not admitting the bug was caused by its system, the tech giant issued a 'patch', or fix, for the alleged 'Find My iPhone' bug some claim is responsible. 

Code on software development site Github called iBrute, would have allowed malicious users to use 'brute force' to gain an account's password on Apple iCloud, and in particular its Find my iPhone service.

Apple has since issued a fix for the bug. 

'The end of the fun, Apple has just patched,' read an update on the post.

The hacker who posted the first batch of pictures said it was the result of 'several months of hard work by all those involved'

The hacker who posted the first batch of pictures said it was the result of 'several months of hard work by all those involved'

Brute force, also known as 'brute force cracking', is a trial-and-error method used to get plain-text passwords from encrypted data.

Just as a criminal might break into, or 'crack' a safe by trying many possible combinations, a brute-force cracking attempt goes through all possible combinations of characters in sequence.In a six-letter attack.

'Many users use simple passwords that are the same across services so it's entirely possible to guess passwords using a tool like this,' said Owen Williams form The Next Web. 

And in a statement issued on Monday afternoon, the FBI confirmed that it had also begun an investigation.

'The FBI is aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter.

'Any further comment would be inappropriate at this time.'

Kirsten Dunst became the first celebrity to publicly criticise Apple on Monday when she posted a sarcastic message on Twitter.

The Spiderman star tweeted 'Thank you iCloud', the day after naked photos of her were published online. 

 



IFTTT

Put the internet to work for you.

Turn off or edit this Recipe

0 comments:

Post a Comment