- Apr 25, 2013
- 5,355
Apple has denied vulnerabilities in its iCloud and Find My iPhone services were the source of stolen photos of celebrities which leaked online over the weekend.
Following a 40-hour investigation by its security team, Apple said there is no evidence of a breach of its cloud services, despite claims made online.
However, it has admitted hackers had launched a "very targeted" attack on certain users accounts.
Expressing "outrage" at the serious violation of the victims' privacy, Apple said: "When we learned of the theft, we ... immediately mobilised Apple’s engineers to discover the source.
"We have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the internet."
However, it added that "none of the cases [it] investigated has resulted from any breach in any of Apple’s systems including iCloud or Find My iPhone."
Social engineering attacks
The statement from Apple could indicate the alleged 101 victims fell victim to a phishing attack, where they were tricked into handing over their security details.
Independent security analyst Graham Cluley had previously suggested this type of attack, or possibly the use of the service's "I forgot my password" utility, were more likely than a breach of iCloud.
"Many sites give you a 'forgot your password' option, or ask you to jump through hoops by answering 'secret questions' to prove your identity," said Cluley.
He added, however, that "in a celebrity’s case, it may be particularly easy to determine the name of their first pet or their mother’s maiden name with a simple Google search".
Trend Micro researcher Rik Ferguson also said a a "wide scale 'hack' of Apple's iCloud is unlikely".
Apple has advised that "all users to always use a strong password and enabletwo-step verification" - a sentiment that has been echoed far and wide by security specialists.
The company said it's still working with law-enforcement agencies to find the culprits. The FBI issued a statement earlier in the week saying it was "aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter".
The alleged attack on Apple's iCloud and Find My iPhone systems couldn't come at a worse time for the company as it prepares for its biggest product launch in some time next week.
Following a 40-hour investigation by its security team, Apple said there is no evidence of a breach of its cloud services, despite claims made online.
However, it has admitted hackers had launched a "very targeted" attack on certain users accounts.
Expressing "outrage" at the serious violation of the victims' privacy, Apple said: "When we learned of the theft, we ... immediately mobilised Apple’s engineers to discover the source.
"We have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the internet."
However, it added that "none of the cases [it] investigated has resulted from any breach in any of Apple’s systems including iCloud or Find My iPhone."
Social engineering attacks
The statement from Apple could indicate the alleged 101 victims fell victim to a phishing attack, where they were tricked into handing over their security details.
Independent security analyst Graham Cluley had previously suggested this type of attack, or possibly the use of the service's "I forgot my password" utility, were more likely than a breach of iCloud.
"Many sites give you a 'forgot your password' option, or ask you to jump through hoops by answering 'secret questions' to prove your identity," said Cluley.
He added, however, that "in a celebrity’s case, it may be particularly easy to determine the name of their first pet or their mother’s maiden name with a simple Google search".
Trend Micro researcher Rik Ferguson also said a a "wide scale 'hack' of Apple's iCloud is unlikely".
Apple has advised that "all users to always use a strong password and enabletwo-step verification" - a sentiment that has been echoed far and wide by security specialists.
The company said it's still working with law-enforcement agencies to find the culprits. The FBI issued a statement earlier in the week saying it was "aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter".
The alleged attack on Apple's iCloud and Find My iPhone systems couldn't come at a worse time for the company as it prepares for its biggest product launch in some time next week.
