Apple has artfully crafted a press release exonerating itself from blame for this weekend’s celebrity nude photo hack, and tsking the Internet. But it has a glaring omission that I hope doesn’t fool too many people.
“We have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone,” the statement says.
It fails to mention that Apple enabled the so-called brute force attack by not implementing a standard cap on login attempts. We’ve all been there — after 3 or 5 attempts, the website or gadget locks us out. This annoying feature is designed to prevent a hacker from rapid-fire attempting thousands of passwords to gain access to our accounts. The folks behind HackApp said iCloud’s problem was it failed to deploy such a security feature.
This attack vector was described here several days ago, and the vulnerability fixed around the time the photos were leaked, according to @HackApp. One can only assume the flaw was linked to the celeb attack…if it weren’t, Apple would have issued a clear denial. By not mentioning the vulnerability and fix, Apple appears to be hiding something. Big mistake: with today’s Home Depot news, it’d be a great day for a mea culpa.
By the way, the attackers say many tools that allow logins from multiple gadgets fail to implement brute-force login caps. Worth noting.
Sign up for Bob Sullivan’s free email newsletter.
