Nude celebrity photos leaked: Russian analyst says it took less than two hours to identify security flaw

The iPhone error which allowed a hacker to access naked photos of Jennifer Lawrence, Kelly Brook and other celebrities was uncovered by a Russian analyst after less than two hours investigating the rumoured weakness

 Jennifer Lawrence, Kelly Brook : Nude celebrity photos leaked: Russian analyst says it took less than two hours to identify security flaw
Jennifer Lawrence and Kelly Brook both had photos leaked. Credit: Photo: REX FEATURES/EPA

A Russian internet security analyst who found a glitch in Apple's iCloud that is suspected of giving hackers access to nude photos of celebrities released earlier this week has said that it took him just two hours to identify the flaw.

Alexei Troshichev announced the discovery of the bug in Apple's FindMyiPhone app at a conference in the Russian city of St Petersburg on Saturday evening – a day before an anonymous hacker posted private images of more than 100 actors, singers and celebrities to internet forum 4chan.

"I started to research different login interfaces. iCloud and iTunes were protected. FindMyiPhone was not ... all together it took about two hours [to find the bug]. It was a trivial task," Mr Troshichev told The Daily Telegraph.

"This bug looks really critical in context of the photo leaks," added Mr Troshichev.

The FBI is investigating the hack attack and Apple has said that it is actively looking into the security of iCloud, where data of users – including photos, contacts and videos – is stored.

Mr Troshichev, a security researcher with HackApp - his online security firm, - said that he started looking for weaknesses in iCloud after photographs and emails apparently belonging to Dmitry Medvedev, the Russian prime minister and a prominent user of Apple products, were hacked and released on August 14.

Apple fixed the problem with the FindMyiPhone app, which allows remote tracking of Apple devices, on Monday – shortly after the nude celebrity photos began spreading online.

"The end of fun, Apple have just patched FindMyiphone bug," Mr Troshichev wrote on Twitter at the time.

He said he did not report the fault to Apple before going public because Apple does not usually respond to such information, and because he believed it was not a serious threat.

The glitch identified by Mr Troshichev makes iCloud vulnerable to iBrute, a form of hacker attack that exploits the possibility of an unlimited number of login attempts to eventually give access to accounts with predictable passwords.

"It can be effective because people are generally not very good at picking 'strong' passwords, meaning that passwords can be guessed," said Andrei Belenko, a senior security engineer for mobile security firm viaForensics, who gave the presentation in St Petersburg with Mr Troshichev and knew about the bug in advance.

Defcon Russia, the Internet security group that hosted Mr Belenko and Mr Troshichev's talk, denied that the two men's revelation led to the release of the nude photos – because the information could not have been exploited that quickly.

"Our group's members are good and smart guys and we are working for the light and love," Defcon Russia said.

But Mr Troshichev maintained that, while unlikely, it was theoretically possible that his discovery was to blame.

"I don't feel responsible, I feel sorry," he said.