Arik Hesseldahl, senior editor at the technology news website Re/code, told BBC Radio 4’s Today programme it was believed the Apple system had allowed the hacker to make “infinite numbers of guesses” rather than locking them out after a certain number of incorrect password attempts.
He said: “There was a vulnerability that was previously unknown, taken advantage of by the attackers and there was another thing that the hackers had at their advantage, for whatever reason Apple apparently, and we don’t know exactly what happened, had allowed whoever was carrying out the attack to make infinite numbers of guesses.
“So you know, in a lot of cases when you’re making a guess at a password you get like maybe five, ten, five chances and then if you get it wrong the fifth time you’re locked out from the account completely.
“In this case they were allowed infinite guesses and that allowed them to just run their computer programmes over and over, ad infinitum until they got something that was correct.”
Apple has confirmed it is looking into the hack, spokeswoman Natalie Kerris said.
"We take user privacy very seriously and are actively investigating this report," she said.
The FBI will take the lead in the investigation, with a spokeswoman Laura Eimiller saying the agency was "aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter."
Jennifer Lawrence's publicist Liz Mahoney called the leaked photographs "a flagrant violation of privacy" and said the actress had asked US authorities to prosecute whoever is posting the photos.
Other stars said to have been affected by the nude picture leak include Avril Lavigne, Cat Deeley and Rihanna, with actress Mary Elizabeth Winstead, already acknowledging pictures in which she is featured are genuine.
She wrote online: "To those of you looking at photos I took with my husband years ago in the privacy of our home, hope you feel great about yourselves."
A computer tool that repeatedly guesses passwords was found online.
The programme script was posted to software site GitHub and shared on Hacker News, but a message has since appeared saying that Apple has issued a "patch" or fix for the bug.
"The end of the fun, Apple has just patched," read an update on the post.
Owen Williams from technology site The Next Web, who discovered the bug, said: "The Python script found on GitHub appears to have allowed a malicious user to repeatedly guess passwords on Apple's 'Find my iPhone' service without alerting the user or locking out the attacker.
"Given enough patience and the apparent hole being open long enough, the attacker could use password dictionaries to guess common passwords rapidly.
"Many users use simple passwords that are the same across services so it's entirely possible to guess passwords using a tool like this.
"If the attacker was successful and gets a match by guessing passwords against Find my iPhone, they would be able to, in theory, use this to log into iCloud and sync the iCloud Photo Stream with another Mac or iPhone in a few minutes, again, without the attacked user's knowledge.
"We can't be sure that this is related to the leaked photos, but the timing suggests a possible correlation."
Source: Top Stories - Google News - http://ift.tt/1udZmxs
0 comments:
Post a Comment