updated 06:00 pm EDT, Mon September 1, 2014
Further evidence undermining claims pictures were stolen from Apple's servers
Even as Apple on Monday issued a terse statement saying only that "we take user privacy very seriously and are actively investigating this report," concerning the leak of compromising images from 101 celebrities, the 4chan poster who released the compromising images and video has now admitted that the pictures come from a variety of sources. In the meantime, Apple has patched a potential security flaw that could have allowed attackers to brute-force their way into obtaining weak iCloud passwords.
Some of the celebrities pictured shot their "selfies" using non-Apple smartphones, further diluting the claim that iCloud played much -- if any -- role in the leaks, reports AppleInsider. There is a long history of image leaks that were claimed to be result of "hacks," but were later found to be the work of more conventional data-stealing techniques such as easily-guessable passwords or social-engineering trickware that revealed the credentials.
That the leaked images were all of female celebrities and from a small pool of said persons would further suggest that no mass-leak of individuals' private photos or other data has actually occurred, and that the new files are more likely the result of other methods targeted at a specific pool of celebrities. A number of the photos seem more likely to have been acquired from services that claim to delete sent images after a short period, but can often be captured anyway, such as Snapchat.
While Apple's iCloud service may or may not have any role in the capture of the private images, the publicity of the case has unearthed a possible vector of attack that Apple has since fixed. Prior to last night, it was possible for hackers to use "brute-force" guessing techniques to uncover the Apple ID and password of specific targets, particularly if said targets had "weak" passwords.
While some have speculated that this could have been a source for at least some of the images released, there is as of yet no evidence of the brute-force method having been successfully used. Apple should be able to determine if that technique was used through records of login attempts on the accounts of any of the celebrities, at least some of whom do use iPhones and iCloud.
Further undermining the claims of iCloud involvement, however, is the fact that iCloud content is stored in an encrypted format, specifically to guard against unauthorized individuals obtaining access to Apple's servers. In addition, the company uses a minimum of 128-bit AES encrypting for the data even while it is in transit, making the content encrypted from end-to-end.
Apple has also been requiring the use of "stronger" passwords with iCloud and iTunes accounts for some time. Though this does not entirely rule out the possibility that some of the victims of the attack still relied on "weak" passwords and thus had their accounts compromised, it does essentially eliminate the possibility of a hack of Apple's iCloud servers as a method to obtain the data.