How Olivia Munn’s Apple iCloud Account Got Hacked

Recently hundreds of celebrity’s private photos (including XXX photos) were leaked on the internet by unknown attackers from Apple’s iCloud. We’re interested in understanding how this happened and how we can help prevent it in the future. What weakness in Apple’s security allowed for this attack to take place?

Here is what we know:

How can we make sure our sites are not susceptible to the same types of attack?

Strong defensive programming techniques and basic web application security knowledge would have prevented this type of attack. Let’s take a deeper look at how these “brute-force” attacks work.

So what is a brute force attack?

Most brute force attacks work by targeting a website, typically the login page, with millions of username and password combinations until a valid combination is found. The same concept can be applied to password reset secret question, promo or discount codes, or other “secret” information used to identify a user.

Let’s look at a real example to understand how this works. Getting past the login screen is often the first step to breaking into most websites. But without a username and password, how can you possibly get in?

Since a python proof of concept attack script was released on github, we can take a look through the code and get a better understanding of how this attack works. The code can be found here:

First, the code reads passwords and emails from two different files. For the type of targeted attacks that were performed against celebrities such as Olivia Munn, the attacker already knew their valid email address. Emails are loaded into a variable called “apple_ids”. Loading these values can be seen on line 79 and 83:

Next, for each apple_id (email address), the script tries each password and calls the “TryPass” method, shown below on line 98.

Take a minute to read over the following code snippet that actually sends the request:

On line 39, the target URL is constructed by placing the apple_id in the URL. Next, a user-agent header is added and a json object is constructed. Presumably this information was reverse-engineering the researchers sniffing the FindMyiPhone http traffic.

Finally, the email and password value are joined together and base64 encoded into an authorization header on line 64:

It’s interesting to note that the API is using “Basic” authentication, which has a number of known security weaknesses, including the inability to perform account lockouts.

Finally, the request is sent and based on the server response, one can tell if the email and password combination is valid. This is sent for each email address, going through each password, then moving to the next email address and repeating the process. Given a long enough password list, eventually the attacker will discover the right password.

After collecting valid passwords, the attacker was able to download the iCloud backup for the user.

Apple has since closed the security bug.

In my next post, I’ll show you how to find and fix these types of security holes in your own applications.

Have any of your accounts or websites ever been hacked? Let me know what happened in the comments below!