Just to be clear, that totally wasn't our fault. That's the long and short of what Apple said Tuesday, addressing the recent celebrity photo hacking scandal that's violated many prominent actresses and musicians, Jennifer Lawrence prominently among them. Specifically, Apple denied an iCloud flaw allowed the photo hacking to happen, and claimed the leaked photos were the result of a "very targeted attack" on the hacked celebrities' accounts.
It's a clear attempt to quell some of the security concerns that have arisen in the aftermath of the leaks, and it's not hard to see why. I'd venture that most people who upload files to a cloud server, at one time or another, have had a moment of wonder about whether their information is actually secure. But it puts the question front-and-center to know that so many public figures had such sensitive, private images stolen and splashed across the internet.
Still, Apple is maintaining that their iCloud service wasn't the vulnerable party here. According to a statement released Tuesday, 40 hours of investigation since the incident has led Apple to conclude that the service was fine, and the real culprit may have been the celebrities overusing the same passwords, making them more vulnerable to traditional means of data theft.
After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved. To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification.
This may be entirely true, obviously, but Apple's explanation does leave some questions unanswered. Specifically because Apple apparently did patch iCloud in the aftermath of the leaks, correcting a security flaw that very logically could've been exploited to gain access to private user data.
Here's the gist: one of the ways that hackers can try to access your account is by something called a bruteforce tool. Basically, if someone has your email address, and is trying to login through a service that doesn't prevent them from guessing different passwords over and over again, they can use a brute force tool to keep guessing at hyper-speed. It just tries different passwords over and over again, much faster than any person could, until it gets through.
Engadget was the first to lay out this situation. Developers of the hacking tool "iBrute" revealed Saturday, just one day before the celebrity photo hacks, that the "Find My iPhone" app didn't have bruteforce protection. And because "Find My iPhone" logs into the same account so much of the Mac life centers around— the Apple ID — even one app lacking that protection can compromise the others, including iCloud.
But regardless of what actually transpired — it is possible that iCloud was vulnerable, and yet wasn't exploited in this instance — all this security breach postmortem is probably cold comfort for the women who have already had their privacy shattered. The next best thing you could do to help them, at this point, is just to refuse to view the photos, and to challenge anyone who decides to do so. I'll leave it to Mary Elizabeth Winstead, who I think said it best.