According to The Next Web this morning, Apple has allegedly patched a security hole in the Find My iPhone service which allowed nefarious users to brute-force Apple ID passwords, according to Twitter user @hackappcom who posted a proof of concept titled ‘iBrute’ to GitHub on Saturday.
This should be good news for celebrities who reported their iCloud accounts being hacked and saw their nude pictures posted online.
As Cody told you yesterday, Academy Award winner Jennifer Lawrence and several other celebrities found themselves in the middle of a major nude photo leak after attackers apparently exploited a vulnerability in Apple’s Find My iPhone service.
@hackappcom this morning updated his post with a line suggesting that Apple fixed the security hole at 3:20am PT. ”The end of fun, Apple have just patched,” reads the post.
After testing the attack method only to see their Apple ID locked after five unsuccessful attempts to guess the password, the publication came to the conclusion that Apple has in fact patched the hole.
The Independent said today Apple’s “refused to comment” on any security flaw in iCloud.
The vulnerability apparently takes advantage of a Python script that employs an automated dictionary attack to guess a user’s iCloud/Apple ID password.
The problem with Find My iPhone lies in the fact that the service does not lock out after a few unsuccessful attempts, allowing attackers to repeatedly try to match a user’s Apple ID/iCloud password.
Once Apple ID/iCloud credentials have been obtained, attackers can log in to various cloud service and retrieve photos, contacts, emails and other data.