Shortly after the leak of naked pictures of a bunch of celebrities, among which Jennifer Lawrence had the biggest share, there are first rumors about how it was done. One of them is that the following Python script was used:
It tries to act like the Find-My-iPhone app, simulating a login for which a password is required. The passwords are guessed from a wordlist and tried against a corresponding Apple server, which gives a feedback on the correctness of the try. Once the password is found, the hacker has access to the iCloud, where the nude pictures are stored. Although at the time of the hack the attacker had infinitely many tries, in practice one could pull off maybe 10 tries per second. That’s 864000 tries per day. Readers of my blog know, this is not much. In fact this is so little, that it’s hardly believable the hack was really performed that way. Maybe the tries were distributed over many clients and it was done over a long time, yada yada yada. But then Apple’s fraud prevention system (do they even have one?) should have given alarm. Another possibility is: those celebs had chosen an incredibly stupid and easy-to-guess password. Speculations, Speculations…
Aaaand we have a winner for the “I-didn’t-learn-anything-today”-contest:
Again, iCloud has to take maybe 10% of the blame due to their “infinitely-many-login-tries-are-possible” design flaw. But choosing a poor password (presumably a really poor one) makes you 90% responsible for the situation. Lashing out at everything may be a natural reaction in such an “exposed” position, but honestly, it doesn’t make you look more intelligent.