In 2010, two hackers discovered a hole in AT&T’s website that allowed them to obtain email addresses and SIM card identifiers for iPads using that network. After much legal wrangling, their case was vacated, but you would think the debacle would weigh heavily on minds at Apple.
Fast forward to a few days ago. A crowd of unruly 4channers and redditors extracted photographic images of celebrities in the nude and in the midst of sexual activity from Apple’s iCloud service. While Apple blames the user, as it is usually does, a similar exploit as was used in the AT&T hack may have been used against Apple in this instance:
Apple accounts seem particularly vulnerable because of the recovery process, password requirements and ability to detect if an email address has an associated iCloud account. The recovery process is broken up into steps and will fail at each point. While Apple do not reveal if an email address is a valid iCloud address as part of the recover process, they do reveal if it is valid or not if you attempt to sign up a new account using the same email – so verification (or brute force attempts) are simple. The second step is verifying the date of birth and it will pass or fail based on that data alone so can be guessed, while the last step are the two security questions. It would be a good idea for Apple to kill the interface on signup that shows new users if their email account is available to use as an iCloud account or not. It would also be a good idea to make the recovery process one big step where all data is validated at once and the user is not given a specific error message. It would also be wise to attach rate limits and strict lockout on this process on a per-account basis.
Being able to POST an email address to https://appleid.apple.com/account/validation/appleid and getting back a response indicating if it is a valid account or not, with little to no rate limiting, is a bug. – “Notes on the Celebrity Data Theft,” New Web Order, September 2, 2014
In particular, you might think that having seen this vulnerability before, Apple might have corrected it. But apparently not. Since a new round of litigation has launched in response to the damaged careers and wounded self-esteem of up to 50 celebrity women, we may not know how this hack occurred for some time. But it seems suspicious that the two are linked.
The 2010 hack involved using a similar loophole to extract information about Apple users on AT&T’s network. In that case, the hackers were grey hat — Weev (Andrew Auernheimer) and Daniel Spitler — and felt that they should notify AT&T before leaking the information. For their troubles, AT&T initiated legal action that resulted in arrests, confiscations, and loss of livelihood.
Here’s a description of how they got that information on Apple products and users:
AT&T provided internet access for some iPad owners through its 3G wireless network, but customers had to provide AT&T with personal data when opening their accounts, including their email address. AT&T linked the user’s email address to the ICC-ID, and each time the user accessed the AT&T website, the site recognized the ICC-ID and displayed the user’s email address.
Auernheimer and Spitler discovered that the site would leak email addresses to anyone who provided it with a ICC-ID. So the two wrote a script – which they dubbed the “iPad 3G Account Slurper” — to mimic the behavior of numerous iPads contacting the web site in order to harvest the email addresses of iPad users. – “Appeals Court Overturns Conviction of AT&T Hacker ‘Weev’,” Wired, April 11, 2014
The similarity of these hacks should make Apple and every other major tech corporation consider its security policies — especially since a similar hacking method was widely reported in 2012. We the users know it is a balance between convenience and security, and if either side wins out too much, someone suffers. A product that requires too many hoops will fall behind in market share, and a product that is too easily hacked will face the same fate, much as Apple’s iCloud may in the future. But somewhere a line must be drawn.