In September of 2014, private photos of a number of celebrities, including Kate Upton and Jennifer Lawrence, were leaked onto the image-based bulletin board 4chan. It was soon discovered that this leak occurred as a result of a brute force attack against Apple’s iCloud, which until then had not limited the number of login attempts for each user account.Hackers exploited this oversight via the use of a password-breaking tool known as iBrute, which enabled them to gain unauthorized access to several celebrities’ accounts and steal their private photos from available data backups.
It is important to note that iCloud is not the only service to have been recently threatened by brute force attacks, however. This type of attacks also affects online accounts stored on users’ mobile devices, as a recent study conducted by AppBugs reveals.Of some 100 mobile apps analyzed, AppBugs found that 53 mobile apps are vulnerable to password brute force attacks. These vulnerabilities threaten the password security of approximately 600 million users, both on the Android and iOS mobile platforms.“Every single issue is an imminent threat to all users using that app,” AppBugs warns. “Once an attacker knows an app is vulnerable to brute force, this person can launch immediately attacks to guess user’s password from the web service of the vulnerable app on all user accounts.”As with the iCloud leak, AppBugs’ study reveals that these apps, which include iHeartRadio, CNN, and Walmart, do not set a limit on the number of times a user can try to access their account.AppBugs is right. According to a research paper written by Joseph Bonneau of the University of Cambridge, passwords in general contain between only 10 and 20 bits of security against any form of attack.