New Times,
New Thinking.

  1. Science & Tech
2 September 2014

The iCloud leak: weak security isn’t only a problem for Apple’s backup service

Apple's cloud backup service, iCloud, has emerged as a likely weak link in the leaking of personal photographs of celebrities this week - but with online security, there are many possible ways for sensitive personal information to leak.

By Lauren Razavi Lauren Razavi

This week the world has experienced the biggest leak of naked celebrity photos in the history of the internet. And where did these photos come from? Apparently, straight from the smartphones of the celebs in question – obtained by a hacker (or hackers) and uploaded to image-sharing message board 4chan.

But what has quickly became known across the internet as “The Fappening” (seriously) has more significant implications than the revealing of famous people’s private parts. When the hysteria has died down, the important question is, should everyday iPhone users be concerned about data security?

The answer seems to be no. Although this historical event is being referred to as “an iCloud leak”, Apple has not confirmed that their servers were hacked and have yet to issue a statement on the issue. The broad consensus among security experts is that a straight Apple hack is an unlikely explanation. As you’d expect, there are a number of competing theories about exactly how these photographs were obtained.

The most prevalent idea is that this leak is the result of clever guesswork, amplified through a programme from web developers’ site Github. The software, ibrute, allows programmers to take advantage of a flaw in Apple’s “Find My iPhone” feature to input hundreds of passwords on iCloud accounts without being locked out. The fault has since been fixed by Apple as a result of ibrute’s appearance online.

Weaknesses in cloud storage could be to blame, but not just iCloud. The Dropbox and Google Drive services have also been cited as possible culprits, given that some of the leaked photos were taken on webcams and Android devices as well as iPhones. Additionally, many people use the same passwords across multiple accounts, so discovering a person’s login details for one service could easily result in access to another.

Select and enter your email address Your weekly guide to the best writing on ideas, politics, books and culture every Saturday. The best way to sign up for The Saturday Read is via The New Statesman's quick and essential guide to the news and politics of the day. The best way to sign up for Morning Call is via
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
Visit our privacy Policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.

A more peculiar line of thinking suggests that the WiFi service at last month’s Emmy Awards was compromised, giving hackers access to the data on connected devices. A phishing scam – when websites masked as official services request and steal login details – is also a strong possibility.

Given that a full-scale infiltration of iCloud servers is unlikely, there are few measures that individuals can take to protect themselves, at least until the source of the leak has been confirmed. Users can take advantage of the extra security offered through the two-step verification process for Apple IDs, a service that provides additional protective measures so that accounts are more difficult for intruders to access.

The general security guidelines of many apps and web services also advise users to create unique usernames and passwords for each account they have, and to change those passwords periodically. In the case of a data leak through a programme like ibrute, however, such measures wouldn’t necessarily do much to assist. When it comes to online security, our model of passwords seems fundamentally flawed.

Content from our partners
An innovative approach to regional equity
ADHD in the criminal justice system: a case for change – with Takeda
The power of place in tackling climate change