One of the oldest tricks in the hacking book was apparently used to hack the Apple iCloud accounts of dozens of celebrities, allowing hackers to gain access to private photos, including numerous nudes.
According to The Next Web, a simple brute force attack was to blame for the breach in security.
In a brute force attack, a computer program is used that simply tries a large number of passwords in a very short amount of time until it gets the right one.
Most modern login systems stop these kinds of attacks by placing limits on the number of times you can enter an incorrect password before the account is locked.
However, it seems that an exploit in Apple’s Find my iPhone service, part of their iCloud service, allowed a brute force attack to take place without locking down the account.
According to the Next Web,
The vulnerability allegedly discovered in the Find My iPhone service appears to have let attackers use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely.
Users on Twitter were able to use the tool from GitHub — which was published for two days before being shared to Hacker News — to access their own accounts before it seems Apple patched the hole today. The owner of the tool noticed it was patched at 3:20am PT.