Nearly two days after hundreds of nude photos of celebrities, including Jennifer Lawrence and Kate Upton, leaked on the web, Apple confirmed the photos came from the individual iCloud accounts of the victims. But the company said that the iCloud servers were not breached and there was no security bug in its service. Instead, the photos were stolen from the accounts of the victims.
"When we learned of the theft, we were outraged and immediately mobilized Apple's engineers to discover the source. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet," Apple said in a statement.
"None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone," added the company.
The leak of nude selfies has highlighted poor state of the web security. After the Apple statement, Christopher Soghoian, principal technologist at ACLU tweeted that web accounts have poor security. "Your online accounts aren't any more secure than Jennifer Lawrence's. But it's unlikely that anyone is trying to brute force your password," he said on his Twitter feed.
While in a way Apple is right in saying that the leak of nude selfies points to a wider problem related to weak passwords and over-reliance on passwords, it is interesting for the company to claim that its security practices are not responsible for the leak.
According to a report on The Next Web, a hacker or a group of hackers might have used an automated script to guess the passwords of iCloud accounts maintained by celebrities. But such a method is only likely to succeed if a service allows unlimited number of login attempts. Allowing multiple login attempts at the same time is considered a poor security practice. Websites like Facebook and Google do not allow multiple login attempts.
At the same time, some blame also lies on the shoddy practices that Google and Apple follow in collecting data from a user's phone. On an Android phone, a user is repeatedly nudged to connect his or her photo gallery with the Google+ so that photos can be uploaded to Google servers as soon as they have been clicked. In many cases, users don't even realise that their photos are already in Google's cloud service.
On iPhone and iPad, the photo backup to the iCloud is off by default. But here too, it is easy for users to turn it on without realising its implications.
Apps like Dropbox too often send notifications to users, requesting them to turn on the automatic photo backup.
Backing up photos in a cloud service means they are safe in case of accidental phone reset. The backup also makes it easier for the photos to be shared between devices. For example, using iCloud you can click a photo with an iPhone and immediately see it on your iPad. The photos can be synced across devices.
But once private data is in a cloud storage service, there is also a risk of leak in case of an attack on the cloud service.
Another problem is that using the cloud services efficiently and securely is too complex. In many cases, even when users have deleted the photos from their phones, they continue to exist in cloud storage services. This is what happened to Mary E Winstead, a victim of Monday's leak. After she found her private photos online, she tweeted, "Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. Feeling for everyone who got hacked."
On Tuesday, Soghoian wrote that companies need to provide a private camera mode similar to the private browsing mode available in web browsers. "Automatic online backups of photographs may be appropriate for photos of your friends, kids, and pets. However, given that people also routinely take intimate, private photos with their smartphones, automatic backups may not always be desirable," he wrote in a piece on ACLU website.
"One obvious solution to this is to provide users with an easy way to take private photos that won't be uploaded, while still offering the convenience of automatic backups for the majority of photos that aren't sensitive," added Soghoian.