You may have already seen or at least heard about the nude Hollywood celebrity images that flooded the Internet over the weekend as some hackers managed to crack the iCloud passwords of the victims. Apple refused to take enough blame in the photo hack, as the company’s carefully crafted response shows. But the reality looks different: What the story and the investigation around it reveal is that Apple’s iCloud isn’t as safe as Apple wants us to believe. So the issue is bigger than we originally thought.
As Wired points out, besides the Find My iPhone API vulnerability discovered by security researcher Alexey Troshichev — the man behind iBrute — there is another piece of information that completes the picture of the celebrity nude hack: a piece of software designed to siphon data from iPhones.
The bad news: While you may understand why it is used by law enforcement agencies, this tool is available to everyone for a certain fee ($400 or via the internet).
This software is called EPPB (Elcomsoft Phone Password Breaker). As the conversation on the Anon-IB site — a place where users can post stolen nude images — shows, the hackers are using EPPB to obtain data from iCloud.
So if a hacker can obtain your username and password with iBrute, he/she can log into your iCloud account and steal not just photos but the whole iPhone backup that contains the data you save from your phone.
And to back up the above theory of regular users being targeted by hackers, you only need to head to Anon-IB, where conversations reveal that photo stealing isn’t limited to just a few celebrities.
Apple has allegedly patched the Find My iPhone vulnerability, but hackapp tweeted the other day that Apple’s patch depends on the region. So we can only hope that Apple fixes this issue soon and will focus on protecting users’ privacy as promised.