Hole in Apple's 'Find My iPhone' appears plugged, closing access to celebrities' private photos

Updated 1:40pm Pacific with Apple’s reported response.

A number of celebrities may be breathing easier this morning after hearing news that Apple has apparently plugged a vulnerability in its Find My iPhone cloud-based service.

That’s not necessarily because they’ve lost their phones. The vulnerability may have been used to get iCloud passwords — and private photos and videos — from the accounts of a number of famous people.

Last night, at least two anonymous users of 4chan, an anonymous bulletin board that tends to feature pornography and offensive content, reported that they had obtained access to as many as 100 accounts of famous actresses and female singers on Apple’s iCloud service. Some images pilfered from the accounts were posted, and to keep releasing them, one 4channer had asked for Bitcoin donations. Reportedly, about $95 has been paid by curious visitors.

The list of hacked accounts reportedly includes those of Jennifer Lawrence, Kate Upton, Rihanna, Kirsten Dunst, Selena Gomez, and of course, the omnipresent Kim Kardashian. The 4chan users report that at least some of the photos and videos are of the not-safe-for-work variety.

Some of the apparent photo-heist victims, such as Jennifer Lawrence, acknowledge the images’ authenticity. Others, including Victoria Justice and Ariana Grande, say the photos are fake.

A brute-force program to hack AppleID passwords was recently uploaded to GitHub. The program, appropriately called iBrute, is designed to flood AppleID logons with possible password combinations. The assumption is that the hacker would know the username, often derived from an email address.

Shortly before the stolen images were announced, the owner of iBrute announced the vulnerability — Find My iPhone did not deny access to brute force methods of figuring out a password. Early this morning, the same iBrute owner announced that the vulnerability has been closed, although there has not yet been confirmation from Apple.

Update: Apple is reportedly “actively investigating” the leaks.

iBrute is now reportedly locked out. But there is also speculation that the Find My iPhone hack was not solely to blame for all the apparently stolen files. For instance, someone could trick a celebrity user — or the celebrity’s assistant — into revealing enough information to gain access to iCloud backups. Additionally, it’s possible other online services were involved, since some of the images reportedly show celebrities using Android mobile devices.