iCloud celebrity photo hack: texts, address books and more 'also accessible'

Diposkan oleh silent aja 7:18 AM Post a Comment

Security expert Nik Cubrilovic says more than just photos were accessible. Photo: Andrew Meares

It's not just nude photographs Jennifer Lawrence, Kirsten Dunst and other victims of the celebrity photo theft have to worry about being accessed by hackers - it's their GPS coordinates, private text messages, calendars, address books, phone call logs and any other data stored on their phones and backed up to the cloud.

It's now been confirmed by Apple that more then 100 celebrity iCloud accounts were compromised 'by a very targeted attack on user names, passwords and security questions' resulting in more than 400 photographs leaked online.

Jennifer Lawrence was one of many targeted. Photo: Getty Images

But it's almost certain the hackers were able to gain access to much more than just photos, Australian security researcher Nik Cubrilovic told Fairfax Media.

Mr Cubrilovic, who has been investigating the saga since Monday, said that victims' calendars, text messages, address books, and any notes stored on their iPhones were also likely accessed by the hackers, but not published.

The data would've been accessible as the hackers would have been able to extract more than just pictures from iCloud back-ups using special forensic software.

Realtime GPS coordinates would have also been available to the hackers through the Find My iPhone feature which pinpoints locations, he said.

In a blog post, Mr Cubrilovic, who recently found flaws in the federal government's myGov website, said the hacking of celebrity accounts seemed 'to only be scratching the surface'.

'There are entire communities and trading networks where the data that is stolen remains private and is rarely shared with the public,' he wrote.

'The networks are broken down horizontally with specific people carrying out specific roles, loosely organised across a large number of sites ... with most organisation and communication taking place in private [via email or instant message programs].'

He said their goal was to steal private media from a target's phone by accessing cloud-based back-up services that are integrated into iPhone, Android and Windows Phone devices.

To access the back-ups he said hackers typically only required a victim's user name and password or an 'authentication token' that is stored locally on their desktop computer which can be extracted using malicious software sent to a victim known as a RAT, or Remote Administration Tool. This token is often used by iTunes to prevent a user having to log in to their Apple account multiple times and can also be used as a login to iCloud, he said.

Mr Cubrilovic believed it was only one particular person trying to cash in on the nude photos who caused the hacking scandal to go public.

'It appears the intention was to never make these images public, but that somebody ... decided that the opportunity to make some money was too good to pass up and decided to try to sell some of the images,' he said.

Mr Cubrilovic also described how the hackers used various social engineering techniques to gain access to victims' accounts. One method involved sending fake emails to users pretending to be Apple and telling them they needed to send their secret questions back to them in order to keep their accounts active.

Mr Cubrilovic said the hackers also gathered information about people through other means, including Facebook profiles, in order to break into their iCloud accounts.

'Obtaining data on a target includes setting up fake [social media] profiles, friending or following friends of the target, being persistent with extracting information that might help answer secret questions, approaching male friends of the target, etc,' he said.

Mr Cubrilovic concluded that there was 'an insane amount of hacking' going on in dark corners of the web.

'On any day there are dozens of forum and image board users offering their services,' he said.

He also said that Apple's security around iCloud was not sufficient.

'Two-factor authentication for iCloud is useless in preventing passwords or authentication tokens being used to extract online back-ups.' he said.

'Two-factor authentication is [only] used to protect account details and updates, [not iCloud back-ups].'

The founder of security firm Threat Intelligence, Ty Miller, told Fairfax Media large online services such as Facebook, Twitter and iCloud suffered 'hundreds of security breaches every day on their accounts' despite having good security measures in place.