Recently hundreds of celebrity’s private photos (including XXX photos) were leaked on the internet by unknown attackers from Apple’s iCloud. We’re interested in understanding how this happened and how we can help prevent it in the future. What weakness in Apple’s security allowed for this attack to take place?
Here is what we know:
- Most reports believe the accounts were compromised through “brute-force” attacks, against the “Find My iPhone” service.
- Once usernames and passwords were hacked, tools were used to download and “rip” iCloud backups, which were then reviewed for sensitive info, such as pictures. (http://mashable.com/2014/09/04/i-hacked-my-own-icloud-account/)
- A hacking presentation about these weaknesses was given back in 2013 (http://www.zdnet.com/apples-icloud-cracked-lack-of-two-factor-authentication-allows-remote-download-7000022196/).
- Rumors indicate a security researcher informed Apple months before the breach about the weakness (http://www.businessinsider.com/apple-icloud-problems-before-nude-celebrity-photo-hack-2014-9)
- At first, Apple said it wasn’t a problem with it’s security controls, but later stated how it had enhanced security to protect against attacks. (http://bits.blogs.nytimes.com/2014/09/04/apple-says-it-will-add-new-security-measures-after-celebrity-hack/)
How can we make sure our sites are not susceptible to the same types of attack?
Strong defensive programming techniques and basic web application security knowledge would have prevented this type of attack. Let’s take a deeper look at how these “brute-force” attacks work.
So what is a brute force attack?
Most brute force attacks work by targeting a website, typically the login page, with millions of username and password combinations until a valid combination is found. The same concept can be applied to password reset secret question, promo or discount codes, or other “secret” information used to identify a user.
Let’s look at a real example to understand how this works. Getting past the login screen is often the first step to breaking into most websites. But without a username and password, how can you possibly get in?
Since a python proof of concept attack script was released on github, we can take a look through the code and get a better understanding of how this attack works. The code can be found here: https://github.com/hackappcom/ibrute
First, the code reads passwords and emails from two different files. For the type of targeted attacks that were performed against celebrities such as Olivia Munn, the attacker already knew their valid email address. Emails are loaded into a variable called “apple_ids”. Loading these values can be seen on line 79 and 83:
Next, for each apple_id (email address), the script tries each password and calls the “TryPass” method, shown below on line 98.
Take a minute to read over the following code snippet that actually sends the request:
On line 39, the target URL is constructed by placing the apple_id in the URL. Next, a user-agent header is added and a json object is constructed. Presumably this information was reverse-engineering the researchers sniffing the FindMyiPhone http traffic.
Finally, the email and password value are joined together and base64 encoded into an authorization header on line 64:
It’s interesting to note that the API is using “Basic” authentication, which has a number of known security weaknesses, including the inability to perform account lockouts.
Finally, the request is sent and based on the server response, one can tell if the email and password combination is valid. This is sent for each email address, going through each password, then moving to the next email address and repeating the process. Given a long enough password list, eventually the attacker will discover the right password.
After collecting valid passwords, the attacker was able to download the iCloud backup for the user.
Apple has since closed the security bug.
In my next post, I’ll show you how to find and fix these types of security holes in your own applications.
Have any of your accounts or websites ever been hacked? Let me know what happened in the comments below!