Apple: iCloud had nothing to do with celebrities falling victim to targeted attacks

    Apple has published details of the investigation of the sensational theft incidentpersonal snapshots from celebrity iDevice devices. According to company experts, celebrities fell victim to the so-called. targeted attacks that are associated with phishing messages. In this scenario, the attacker sends a special email to the victim's mailing address and prompts her to provide the Apple ID password, which is then used to access the account. Such emails can contain a variety of topics to deceive users. It is also about the fact that the attackers did not use a tool like iBrute to exploit the vulnerability in the service through the “Find iPhone” API (the vulnerability is closed). iBrute uses brute force passwords. Meanwhile, it turns out that Apple is opening up new problems with the security of services.

    As an additional security measure, Apple recommends using two-factor authentication 2FA (recently appeared for Russian users) to protect its account. 2FA uses a special confirmation of access to the account (for example, an SMS message) even if the user or the attacker knows the username and password of the account. But 2FA has a significant flaw and does not protect the so-called. "Photo stream", that is, an attacker can gain access to private photos of a user with 2FA enabled, having the login ID and password of Apple ID. In addition, 2FA is also unable to protect the device’s backups (stored in iCloud) from which attackers can extract all available device information that was previously archived from it.

    Fig. Slide presentation of Elcomsoft specialists at the Hack In The Box conference. 2FA does not protect access to some important cloud data.

    One of the forensics experts who examined the metadata of stolen photos Kate Upton said that attackers could gain access to the device’s backups stored in iCloud and then get snapshots from there. For this, a special tool could be used to conduct such an operation.

    If a hacker can obtain a user's iCloud username and password with iBrute, he or she can log in to the victim's account to steal photos. But if attackers instead impersonate the user's device with Elcomsoft's tool, the desktop application allows them to download the entire iPhone or iPad backup as a single folder

    Also popular now: