updated 01:13 pm EDT, Mon September 1, 2014
Vulnerability in Find My iPhone authentication system patched today
A script which allowed access to iCloud servers may have been behind the recent celebrity photo leaks, a report suggests. A Python script which discovered the password of an iCloud account has surfaced, with an apparent vulnerability in Find My iPhone potentially allowing attackers to "brute force" attack an account without any lockout or warning to the account owner.
The script was posted on GitHub on Monday, reports The Next Web, and heavily relied on Find My iPhone's lack of restriction on the number of attempts. Once the account password was found, the attacker could then use the complete set of credentials to access other Apple services including iCloud. According to the report, the script owner discovered Apple had patched the vulnerability earlier today, with the service now locking users out after five attempts.
The creator, a Twitter user by the name of Hackapp, said the bug "is common for all services which have many authentication interfaces," and it is "trivial" to find them using a "basic knowledge of sniffing and reversing techniques."
While the timing of the script's appearance coincides with that of the celebrity leaks, there is no direct evidence tying the two together. Apple has yet to comment about the allegations.