{"id":44566,"date":"2014-09-04T06:52:31","date_gmt":"2014-09-04T06:52:31","guid":{"rendered":"http:\/\/4cd.e16.myftpupload.com\/?p=44566"},"modified":"2014-09-04T06:52:31","modified_gmt":"2014-09-04T06:52:31","slug":"fundamental-flaw-in-apple-icloud","status":"publish","type":"post","link":"https:\/\/citifmonline.com\/2014\/09\/fundamental-flaw-in-apple-icloud\/","title":{"rendered":"‘Fundamental flaw’ in Apple iCloud"},"content":{"rendered":"

Apple’s iCloud facility, which stores iPhone and iPad users’ photos and personal data, has a “fundamental security flaw”, an expert has warned.<\/p>\n

The online service is under scrutiny after intimate images of celebrities were stolen and leaked.<\/p>\n

It has emerged that a security measure called two-step verification, which is recommended by Apple, can be bypassed using easily available software that allows access to iCloud back-ups.<\/p>\n

Apple declined to comment.<\/strong><\/p>\n

The program still requires hackers to know the user’s email address and password, and there is no clear evidence that it was used in the recent breaches.<\/p>\n

Two-step verification – which requires a user to type in a short code sent by Apple to their phone or tablet in order to access their account – is supposed to offer an extra level of protection.<\/p>\n

On Tuesday, Apple suggested its customers “always use a strong password and enable two-step verification” after it acknowledged that some of its accounts had been compromised by a “very targeted attack”.<\/p>\n

But one expert said Apple had given people “a false sense of security”.<\/p>\n

Technology magazine Wired first reported<\/a>\u00a0that software from a Russian firm, ElcomSoft, was being mentioned on a hackers discussion group as a useful tool for infiltrating iCloud accounts.<\/p>\n

The program, marketed to law enforcement agencies, claims to offer access to iCloud content without the operator needing to be in possession of the iPhone or iPad concerned.<\/p>\n

It uses a system devised by Moscow-based computer programmer Vladimir Katalov, which downloads copies of iCloud data.<\/p>\n

It is not known whether the facility was utilised by those who stole naked images of Jennifer Lawrence and others.<\/p>\n

But Mr Katalov told the BBC that, although he could not be “100% sure”, he believed the software was used in the recent celebrity hacks, as ElcomSoft’s program is “the only one able to do that”.<\/p>\n

He added that while his company “didn’t like it much” when the software was used for illegal purposes, it had sold the system to individuals, as well as authorities.<\/p>\n

Security expert Mikko Hypponen told the BBC the issue lay in the design of Apple’s two-step verification system, which he believed was “implemented only to protect your credit card”.<\/p>\n

“It doesn’t require two-factor authentication when you just want to access the photo roll, or if you want to restore the back-up,” he said.<\/p>\n

Using ElcomSoft’s program, he added: “I can use my computer to extract files from your online back-up – something you can’t do yourself”.<\/p>\n

Indeed,\u00a0Apple’s own page on two-step verification<\/a>\u00a0explains that it protects:<\/p>\n