Leaking private celebrity photos: a detailed investigation by an Australian developer

    This week the Internet was shocked by the story related to the leak of hundreds of intimate photos of celebrities (articles on Habré on a related topic here and here ). One of the most thorough investigations of the story had born Australian entrepreneur, blogger, an engineer and a software developer (all in one) Kubrilovich Nick ( Nic Cubrilovic ). Nick is known for having been a journalist and consultant to Techcrunch and Crunchpad, a TechcrunchIT editor, founder or co-founder of Omnidrive, Solutionstap, MyVirtualDrive, Webwall, 2web, and more at different times in his career. Details - under the cut.

    Disclaimer:While working on the callback module on the Witget platform, we constantly sift the Internet for new trends or ideas (who will be interested in our new product that has a direct bearing on the topic of the article can be found in the postscript). Studying privacy, we came across an investigation article from Nick. It seemed so interesting to us, reflecting the importance of the trend for privacy and the utmost vulnerability of us all, that we decided to completely translate it and share it with the hawkers. Translated as they could, so do not judge strictly (after the article a link to the source is given). The translation is made in the first person.

    It is interesting how information security periodically collides with other industries and subcultures. Since now a huge amount of information is stored and distributed on the Internet and through various devices, hacking stories will not surprise anyone. This happened on September 1 - dozens of celebrities fell victim to hackers who managed to steal hundreds of private photos and videos from cloud data storages.

    The essence of the story is that a huge number of intimate photos of many famous celebrities began to appear on image boards and forums, the most famous of them - anon-ib, 4chan and reddit.

    The first photos were published almost two weeks ago, but did not attract much attention, as they were put up for sale (only censored previews were offered in the hope that someone would buy these photos). Only after several users purchased them and published uncensored in public forums, did they start talking about this story.

    At least a dozen celebrities are involved in this story - more than 400 personal photos and videos in the form of dumps were stolen from them. An anonymous list of celebrity names was published, designed in the style of an advertising booklet in which it was stated that the personal data of more than 100 people were compromised.



    After this story happened, I plunged into this crazy subculture of the captors of intimate photos and indecent videos of celebrities for a while, trying to figure out what the hackers did, how they did it, and what can be learned from all this.

    1. The part of personal information that users see after all these hacker incidents is just the tip of the iceberg .


    Metaphor of the Internet - its visible and invisible parts

    There are entire communities and retail chains where the stolen data is transferred to private hands, and it is rarely shared with the public. Hacks occur constantly by a special group of people, each of whom has his own specific role. This activity is poorly organized, but there are a huge number of sites (both the open Internet segment and Darknet, the part of the network hidden from search engines where all users remain anonymous), where there is communication between “market participants”, but most of the communication between them via email and instant messaging.

    2. Purpose- steal personal data from the victim’s phone by accessing the cloud-based backup services integrated into the iPhone, as well as Android and Windows Phone. To access these storages, a user ID, password or authentication key is required - an identification sign.

    3. Crackers can be divided into several categories:

    • Users who monitor Facebook and other social networks, looking for suitable "targets" and collecting as much information as possible about them. Data collection includes the study of public data archives and the acquisition of credit history. The collection of data on the victim includes the creation of fake accounts to add “targets” to friends or follow friends, perseverance in obtaining information that can help answer secret questions, establish closer contacts with “target” friends, etc.
    • Users who use the data to “recover” passwords or authenticate. There are several methods for this, for many of them there are even instructions available online. The most common methods are RAT ("remote administration tool" - a remote administration tool) - a utility for unauthorized access to a remote user system, phishing, password recovery and reset. RATs are simple remote access tools that trick you into installing a user through private messages or e-mail (under the guise of a link or attachment) on his phone or computer. In the case of phishing, an email is sent to the victim with a request to reset or change the password, which fraudulently forces the user to enter the password on the site or in a form that is controlled by the attacker. Reminding the password gives access to the user's email account (again using security questions or other techniques), and obtaining a link by clicking on which the attacker gains access to the cloud data storage. In the case of the password reset technique, you need to specify the date of birth and answer a secret question (often it is necessary to indicate publicly available data - birthdays, favorite sports teams - so you can hack the page without much difficulty).
    • Users who receive a username and password or authentication key, and then hack into cloud backup services using software and tools like Elcomsoft EPRB . Of course, this software is pirated and supports the ability to hack all backups and dump dumps, including messages and deleted photos.
    • Next, " collectors " collect all the stolen data, and distribute them into folders. They typically use Dropbox and Google Drive. These same people subsequently create a preview for each group of photos, and leave their email on them for communication. E-mail addresses of such "collectors" or other sellers of images can be obtained on the recommendation, usually through someone who is engaged in hacking or illegal copying.


    4. A common source of new customers in this area are newcomers who want to hack someone , and turn to one of the networks that provide these services, usually finding it by keywords or in forums. A new client needs to provide a link to a Facebook account, as well as as much information as the hacker needs to break into the page; plus all possible assistance in installing RAT, if necessary. In exchange, crackers will provide the customer with a copy of the extracted data, which they will also keep for themselves. For me, this is the most unpleasant aspect of such networks - the realization that there are people who tell everything about their friends in order to get a dump with all their personal data.

    5.I studied a lot of posts on forums and imageboards, entered into correspondence, sent requests for services of similar services, etc., and the rather crude FindMyPhone API technique (publicly exposed and used in iBrute ) was not mentioned anywhere . This does not mean that it is not used by hackers privately. However, judging by the required level of skills, mentions and instructions for using other techniques, some boasting about successes in social engineering, password recovery and reset, phishing and RAT, it turns out that such techniques were not needed , or even unknown among hackers.



    6. The most popular “target” for hacker attacks is iCloud, because there Picture Roll backups are included by default, besides this iPhone is a very popular platform. Windows Phone backups are available on all devices, but are disabled by default (they are often turned on, although I could not find statistics), while Android backups are carried out using third-party applications (some of which are also attacked).

    Google+ provides a set of features for backing up photos uploaded through the app.

    7. Apple accounts seem particularly vulnerable due to the recovery process, password requirements, and the ability to determine if iCloud has an account for this email address.The recovery process is divided into several stages, and in principle, a hacker can be defeated at each of them. Despite the fact that Apple does not disclose whether the email address is a valid iCloud address during the recovery process, they will be “spoken out" whether it is valid or not if you try to register a new account using the same email, so verify it (or hack) no problem. The second step is checking the date of birth - and it will be successfully completed if the hacker can guess (and he most likely already knows her); as for the last step, it involves two security issues. It would be better for Apple to destroy the registration interface, which shows new users whether their e-mail is available as an account on iCloud or not. It would also be a good idea to fit the entire recovery process in one big step, where all the data is checked once, and an error message is not sent to the user. In addition, it would be wise to introduce speed limits and hard block this process for each account.

    Ability to post an email address at https://appleid.apple.com/account/validation/appleid(Update: Apple closed this hole and the link no longer works) and receiving a response indicating whether your account is valid or not, as well as the almost complete absence of speed limits, is a real bug.

    a) To remind once again what are the main techniques that were used in hacking, I will list them in order of popularity / effectiveness:
    • Password reset (security questions / answers)
    • Email Phishing
    • Password recovery (hacking email account)
    • Social Engineering / Install RAT / Authentication Keys


    b) Once they have got access to the account, consider that they have access to all the data - they can determine the location of the phone, intercept SMS and MMS messages, recover deleted files and photos, remotely erase the device’s memory, etc. In our example, hackers were mainly interested in personal photos, but for some time they could completely control the account.

    8. Authentication keys can be stolen by a trojan (or using social engineering) from a computer with iTunes installed. Elcomsoft created a tool called atex , which performs this operation. On OS X, this key is installed using a special electronic “key fob”. The authentication key is as good as the password.

    Scheme of keychan









    9. A vuhfaktornaya authentication for iCloud not help out in preventing the use of a password or authentication key to retrieve backups. Two-factor authentication is commonly used to protect account details and updates.

    10. Regularly there is just a huge number of hacks. There are dozens of forums and image boards where hackers offer their services. Those who offer to import data, only in exchange for a username and password, and do not ask for anything for it, in fact, scammers, they steal data, and then sell it or exchange it.

    11. The average user security level in such networks is extremely low.. 98% of the email addresses indicated on forums in ads as advertisements are served by popular providers (gmail, outlook, yahoo) that do not support Tor and do not allow anonymous actions. When hacks take place, most users immediately start talking about using a VPN, saying that these technologies are the best, fastest and allow you to maintain confidentiality. It was also incredibly easy to spread the latest data leaks all over the Internet (more on this later), find servers with dumps, etc.

    12. On the Darknet forums, they write a lot of tips on how to hack step by step, and also provide a database of passwords and logins, and various documentation on this topic, but with regard to the distribution of content, they are usually one step behind the publicly accessible image boards. Of course, the latter are more useful for maintaining the popularity of content after it is published, and users will come to them more often if new information leaks occur. In the past, Overchan and Torchan constantly received requests from new users who wanted to get links to the darknet, and now imageboards have received this traffic.

    13. Different file formats and names, information inconsistencies and residual data, such as Dropbox files found in dumps, can be explained using various recovery software(some of which restores the original file names, and some not), plus, dampers and distributors often use Dropbox to distribute files. It is not known how many hackers were involved in the data extraction process, but I assume that the celebrity list was an internal list of one of the retail chains. Timestamps, forum posts, and other data indicate that this collection has been created over a long period of time.



    14. On the topic of information security. It was easy to track down one of the distributors who posted the purchased private images on 4chan and reddit.. He posted a screenshot as part of a presentation that talked about selling 60 or more images and videos of the same celebrity, but did not cover his computer name or the names of other computers on his local network.

    The reddit user drove this number on Google and tracked down the company he worked for (although they suspected the wrong employee). In the process of tracking each of these names, one of them led back to the reddit account, where a screenshot with the exact same interface was posted (the guy had a bad habit of taking screenshots from his computer). He denied the fact that he was the source of the image, but this guy is certainly a distributor who bought photos from a private network, because at that time these images had not yet leaked to the Internet.

    15. Personally, II do not distinguish between those who steal data directly and those who “just” buy it, in order to subsequently profitably sell it to the public.

    16. It seems that a lot has gone wrong over the past few days, not only with our new friend, but also with other members of this network. They were not going to make these images public,but someone, perhaps a distributor previously identified by us, decided that the opportunity to make money was too good to pass by, and decided to sell some images. The first post in this series that I could track was made 5 days before the story went public, that is, on August 26th. Each of these posts contained an image with censorship and an offer to pay a certain amount to receive a version without censorship. After several such posts that no one paid attention to (thinking it was a divorce), our distributor decided to publish uncensored versions that quickly spread to anon-ib, 4chan and reddit. My theory is that other network members, seeing leaks and offers to buy photos, also decided to make some money, believing that the value of the images will soon be zero,

    17. With regard to staying safe, the most obvious measures are choosing a more secure password, using answers to security questions that are long random strings, and enabling two-factor authentication. It is also a good idea to protect your email using a single address that no one will know for “sensitive” accounts, such as Internet banking, cloud storage, etc., and a separate communication address that you do not hide. The phones do not have a privacy mode, where all your data and metadata are stored in one place, in this case, the only solution to save a private or more anonymous profile is to purchase a separate phone where the account will be created in a fictitious name. There is a good reason why drug dealers carry several phones with them, hiding their real identity in the “work” process.

    18. There is no software that users can install and simply update subsequently to always feel completely safe.Responsibility lies with both the developers and the users themselves. Users should be able to compose the correct passwords (unique, long, passphrases), as well as master the basics of security and anonymity.

    Apple said the following:

    After more than 40 hours of investigation, we found that the accounts of some celebrities were compromised by targeted attacks on usernames, passwords, and security questions; This practice is now quite common on the Internet. In none of the cases that we investigated were the problems caused by a malfunction of one of the Apple systems, including iCloud or Find my iPhone. We continue to work with law enforcement agencies to help identify the perpetrators.
    To protect against this type of attack, we recommend that all users use a strong password and enable two-step verification. "


    Source: https://www.nikcub.com/posts/notes-on-the-celebrity-data-theft/ .

    Only registered users can participate in the survey. Please come in.

    What methods do you use to protect your personal data?

    • 25.7% Long Strong Password 540
    • 8% Different emails for different purposes 168
    • 1.3% Specialized software 29
    • 0.5% Answers to secret questions 12
    • 20.8% Two-Step Authentication 437
    • 11.3% None :( 237
    • 32% I minimize personal data available on the Internet 672

    Also popular now: