Apple is denying there was anything wrong with iCloud yet they finally patched a gaping security flaw.
After a bevy of nude celebrity photos were stolen from iCloud accounts and posted on the web, Apple insisted that it wasn’t their fault, no one hacked their system, the celebs were careless about their passwords, the hackers didn’t take advantage of ‘find my iPhone’ and besides they fixed a gigantic security flaw within days of finding out about it…well, maybe a month or two after finding out about it…well, at least after somebody took advantage of the flaw anyway. So obviously it wasn’t Apple’s fault.
That’s a bit like saying ‘I categorically deny having anything to do with this and I promise never to do it again.’
The security issue that wasn’t Apple’s fault that they finally fixed after this whole mess hit the press was shockingly stupid and bordered on negligent. On most systems – at least those built by people who know even the most basic things about security – they only let you try to log in two or three times in a single login attempt. If you don’t enter the correct password or user name in those three attempts they system blocks you from trying again and usually prompts you to either answer additional security questions or offers to email your forgotten password to your email account.
This prevents a hacker from sitting at a keyboard all night trying hundreds of different passwords until they get lucky or more likely run an automated password guessing program that can cycle through thousands of different combinations of letters and numbers until it guesses the right one. These are knows as brute force attacks. No subtlety at all – just keep guessing until you find a password that works. In fact a hacker group pointed this out last May and suggested using brute force attacks to hack iPhone and iCloud accounts. But Apple didn’t do anything about it until after someone exploited the flaw.
Apple didn’t have this simple blocking procedure in place when the celeb’s pictures were stolen so hackers could simply run a password guessing program over and over again until it found the celebrity’s iPhone passwords. And since the iPhone password is usually the same password used to access iCloud accounts (Apple support actually recommends you use the same Apple ID for both) …well, it’s pretty easy to put two and two together here.
Apple does allow users to set up a more secure process they call two-step verification (sometimes known as two-stage authentication) where it sends a text message to your iPhone when you try to log into your account and you have to enter that code number as well as your password. This helps mitigate hacking attempts since a hacker would need to have both your password and your iPhone. But this security feature is not implemented by default and according to some reports it actually takes days to activate.
In fact there all sorts of security things in the world of Apple that aren’t activated unless the user goes out of their way to set them up and there are other things that could be risky that are activated by default and also require user intervention to turn them off.
Now if all those silly celebs had used better passwords and gone through all the steps necessary to activate two-step verification then perhaps none of this would have happened. Maybe they didn’t read the manual carefully enough…oh wait, the iPhone user guide doesn’t actually mention two-step verification anywhere. Well that’s not Apple’s fault is it?