Apple is investigating reports that a security hole in one of its online services allowed cyberthieves to download nude photos from the iCloud accounts of celebrities, the Wall Street Journal reported on Tuesday (Sept. 2).
The vulnerability in Apple’s Find My iPhone service, which tracks the location of a missing phone and lets a user disable the phone remotely if it is stolen, allowed anyone to keep trying passwords no matter how many failed login attempts were made. Once a correct password was found, it could then be used to get access to a user’s iCloud account.
On Monday, Apple reportedly set a limit on login retries to prevent such brute-force attacks.
The apparently successful attacks came as Apple is expected to announce a mobile payments service next Tuesday (Sept. 9). Apple has reportedly negotiated deals with Visa, MasterCard and American Express to support their payment cards on the new service, which is believed to use a contactless NFC chip in a new iPhone model.
However, Apple hasn’t revealed any details of the new service, or even confirmed that it will be supporting mobile payments. If the new system uses tokenization to access an iPhone user’s iTunes account, even stealing a user’s password might give a thief no significant access to any payment card numbers.
But Apple will still face bad publicity from the iCloud account breaches, which resulted in nude pictures of actresses Jennifer Lawrence and Mary E. Winstead and model Kate Upton being posted on social media websites.