Security expert Nik Cubrilovic says more than just photos were accessible.
Security expert Nik Cubrilovic says more than just photos were accessible. Photo: Andrew Meares
It's not just nude photographs Jennifer Lawrence, Kirsten Dunst and other victims of the celebrity photo theft have to worry about being accessed by hackers – it's their GPS co-ordinates, private text messages, calendars, address books, phone call logs and any other data stored on their phones and backed up to the cloud.
It has now been confirmed by Apple that "certain celebrities" iCloud accounts were compromised "by a very targeted attack on user names, passwords and security questions", resulting in more than 400 photographs being leaked online.
Jennifer Lawrence was one of many targeted.
Jennifer Lawrence was one of many targeted. Photo: Getty Images
But it's almost certain the hackers were able to gain access to much more than just photos, Australian security researcher Nik Cubrilovic told Fairfax Media.
Mr Cubrilovic, who has been investigating the saga since Monday, said victims' calendars, text messages, address books and any notes stored on their iPhones were also likely accessed by the hackers, but not published.
The data would have been accessible because the hackers - who were said to have targeted more than 100 celebrities - would have been able to extract more than just pictures from iCloud back-ups using special forensic software.
Real-time GPS co-ordinates would also have been available through the Find My iPhone feature, which pinpoints locations, Mr Cubrilovic said.
In a blog post, Mr Cubrilovic, who recently found flaws in the federal government's myGov website, said the hacking of celebrity accounts seemed "to only be scratching the surface".
"There are entire communities and trading networks where the data that is stolen remains private and is rarely shared with the public," he wrote.
"The networks are broken down horizontally, with specific people carrying out specific roles, loosely organised across a large number of sites ... with most organisation and communication taking place in private [via email or instant message programs]."
He said their goal was to steal private media from a target's phone by accessing cloud-based back-up services that are integrated into iPhone, Android and Windows phone devices.
To access the back-ups, he said hackers typically only required a victim's user name and password or an "authentication token" that is stored locally on their desktop computer, which can be extracted using malicious software sent to a victim known as a RAT, or remote administration tool.
This token is often used by iTunes to prevent a user having to log in to their Apple account multiple times, and can also be used as a login to iCloud, he says.
Mr Cubrilovic believed it was only one person trying to cash in on the nude photos who caused the hacking scandal to go public.
"It appears the intention was to never make these images public, but that somebody ... decided that the opportunity to make some money was too good to pass up and decided to try to sell some of the images," he said.
Mr Cubrilovic also described how the hackers used various social engineering techniques to gain access to victims' accounts. One method involved sending fake emails to users, pretending to be from Apple, telling them they needed to respond with their secret questions to keep their accounts active.
He said the hackers also gathered information about people through other means, including Facebook profiles, to break into their iCloud accounts.
"Obtaining data on a target includes setting up fake [social media] profiles, friending or following friends of the target, being persistent with extracting information that might help answer secret questions, approaching male friends of the target, etc," he said.
Mr Cubrilovic concluded there was "an insane amount of hacking" going on in dark corners of the web.
"On any day there are dozens of forum and image board users offering their services," he said.
He also said Apple's security around iCloud was insufficient.
"Two-factor authentication for iCloud is useless in preventing passwords or authentication tokens being used to extract online back-ups." he said. "Two-factor authentication is [only] used to protect account details and updates, [not iCloud back-ups]."
The founder of security firm Threat Intelligence, Ty Miller, told Fairfax Media large online services such as Facebook, Twitter and iCloud suffered "hundreds of security breaches every day on their accounts", despite having good security measures in place.
Correction: This article originally stated that Apple confirmed 100 iCloud accounts had been compromised. It only confirmed that the accounts of "certain celebrities" were compromised. The article has been updated to clarify this.