Massive Celeb Leak Brings iCloud Security Into Question

Use Netsparker


So this leak has caused quite a furore, normally I don’t pay attention to this stuff – but hey it’s JLaw and it’s a LOT of celebs at the same time – which indicates some kind of underlying problem. The massive list of over 100 celebs was posted originally on 4chan (of course) by an anonymous user who seems to have collected/bought the pictures using Bitcoin.

Celebrity Nudes on 4Chan

Some fingers are being pointed at iCloud and the security of it, as many of these pictures have been deleted and have been somehow rescued from the cloud. Some of the users are claiming they use Android though, but they might have synced the pictures to their Macbook and that was uploaded to iCloud.

Naked photos of celebrities including Jennifer Lawrence, Kate Upton and Ariana Grande have been published online by an anonymous hacker who reportedly obtained the explicit pics from the victims’ Apple iCloud accounts.

Nude photos of 17 celebrities have been published online. The anonymous hacker posting on grime-‘n-gore board 4chan claimed to possess naked pics of more than 100 celebrities in total.

Lawrence’s publicist Bryna Rifkin confirmed the validity of the photos and condemned their publication.

“This is a flagrant violation of privacy. The authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence,” Rifkin told Buzzfeed.

However a separate set of images included in the hacked celeb haul purporting to show singer Victoria Justice in various states of undress were called out as fake.

Justice published a photograph where her face was clearly taken from an earlier photo and plastered on the body of a naked woman.

Other photos appeared legitimate but were not yet confirmed by those affected.


There’s not a lot of details right now, but there is a whole lot of speculation about what’s going on (Google Drive, Dropbox, iCloud and more). This is why if you use an iPhone you should know what Photo Stream is (and how to disable it), or Dropbox Camera Upload, or Google Photo Sync.

I’m guessing there’s more to come as only a few of the pictures have been released so far. I’m not sure if Apple are even going to bother saying anything, as well even when there’s a fairly security flaw they tend to just keep quiet. iCloud security issue? Who cares man.

The identity of the unscrupulous hacker including any alias appeared to be unknown. They posted the images to the 4chan ‘/b/’ image board from where it was quickly circulated on social media sites including Reddit.

The assailant seems likely to face a well-resourced investigation by US authorities, who take a dim view of this sort of thing.

In June, Romanian hacker Marcel Lazar Lehel, a.k.a. Guccifer, was sentenced and faced seven years jail with three years served for hacking email accounts of former US President George Bush along with other US officials, celebrities and UK pollies.

And in 2011 Florida man Christopher Chaney was arrested after he hacked the email accounts of Scarlett Johansson and some 49 other celebrities and was sentenced to 10 years’ gaol.

The hacking serves as a timely reminder to ensure important passwords were not reused across websites or services and were not based on single words or common phrases.

There was an interesting proof of concept of an AppleID bruteforcing tool here – ibrute – which is fixed now, but it could have been used to pop these accounts. It authenticated against the Find My iPhone API which had no bruteforce protection implemented.

There’s even an entire subreddit about the leak here, which has been labelled ‘The Fappening’ – http://www.reddit.com/r/thefappening

Let’s see what more info (if any) comes out after this.

Source: The Register

Posted in: Apple, Privacy

, , ,


Latest Posts:


Acunetix v12 - Pause & Resume Acunetix v12 – More Comprehensive More Accurate & 2x Faster
Acunetix, the pioneer in automated web application security software, has announced the release of Acunetix v12 - more comprehensive, accurate & 2x faster.
CloudFrunt - Identify Misconfigured CloudFront Domains CloudFrunt – Identify Misconfigured CloudFront Domains
CloudFrunt is a Python-based tool for identifying misconfigured CloudFront domains, it uses DNS and looks for CNAMEs which may be allowed to be associated with CloudFront distributions.
Airbash - Fully Automated WPA PSK Handshake Capture Script Airbash – Fully Automated WPA PSK Handshake Capture Script
Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing, it is compatible with Bash and Android Shell.
XXEinjector - Automatic XXE Injection Tool For Exploitation XXEinjector – Automatic XXE Injection Tool For Exploitation
XXEinjector is an XXE Injection Tool that automates retrieving files using direct and out of band methods. Directory listing only works in Java applications.
Yahoo! Fined 35 Million USD For Late Disclosure Of Hack Yahoo! Fined 35 Million USD For Late Disclosure Of Hack
Ah Yahoo! in trouble again, this time the news is Yahoo! fined for 35 million USD by the SEC for the 2 year delayed disclosure of the massive hack, we actually reported on the incident in 2016 when it became public.
Drupwn - Drupal Enumeration Tool & Security Scanner Drupwn – Drupal Enumeration Tool & Security Scanner
Drupwn is a Python-based Drupal Enumeration Tool that also includes an exploit mode, which can check for and exploit relevant CVEs.


One Response to Massive Celeb Leak Brings iCloud Security Into Question

  1. Sid September 3, 2014 at 3:20 am #

    Interesting. Especially the part where they named the subreddit – “The Fappening”!