Over the weekend, there's been a slew of images released showing celebrities in varying states of undress. Now, it appears that a flaw in iCloud could be responsible for the images making their way online.


The Next Web reports that a Python script has appeared on Github that "appears to have allowed malicious users to 'brute force' a target account's password on Apple's iCloud." Based on a vulnerability in the Find my iPhone service, the software was able to repeatedly guess passwords very quickly in an attempt to find the right one. Usually multiple guesses lock accounts down, but the flaw in Find my iPhone meant that didn't happen.


The software sat on Github for two days, before appearing on Hacker News and then swiftly being patched by Apple today at 3:20 am PT. The Next Web has since tried using the tool, which now quickly locks accounts—suggesting that it does indeed brute forces passwords but has now been patched.

It's unclear when the hole first appeared and how long people have been using it. The fact that the hacker who originally leaked the celeb images claimed they were retrieved from iCloud suggests that it could have been this hole being used. That remains somewhat speculative, though: The Independent reports that Apple has, unsurprisingly, "refused to comment" on any security flaw in iCloud today. [The Next Web]