Apple then goes on to offer some security suggestions for iCloud users who might be confused about how to protect themselves. The subtext is clear: If there's anything wrong here, it's in the way that individual users secured their accounts.
The company's statement, however, has only heightened concerns among security experts that Apple didn't do enough to protect against "brute-forcing" — attempts to obtain or verify user information by simple trial and error. Apple hasn't explicitly confirmed that brute-forcing was involved in this hack. The company's reference to security questions suggests the attackers may have also used social engineering techniques or publicly known information about a celebrity to correctly answer the security questions, and I've asked Apple to clarify what it meant. But at least one security researcher claims to have been testing brute-force techniques on Apple's systems as of Tuesday afternoon, with little indication that Apple had closed off that possibility in response to the hack.
posting an email address as JSON to appleid.apple .com /account/validation/appleid returns if it is a valid account or not. no rate limit.
— nik cubrilovic (@nikcub) September 2, 2014
Cubrilovic reports that Apple eventually blocked his IP address from contacting account authentication servers, but that wouldn't necessarily stop others from trying the same thing.
There's a relatively easy fix for this sort of thing. Researchers call it "rate-limiting." You may have experienced this yourself when you've incorrectly entered a password on a Web site too many times and gotten locked out of your account. Over the weekend, security researchers were said to have found a flaw in iCloud's Find My iPhone feature that didn't cut off brute-force attacks. Apple's statement Tuesday afternoon suggests the company doesn't regard that revelation as a problem. And that's a problem, according to security researcher and Washington Post contributor Ashkan Soltani.
"If you recall, the Federal Trade Commission went after Twitter for not taking steps to prevent password brute-forcing," Soltani said. "Preventing brute-forcing is pretty important; otherwise you could just write a script that just checks the server over and over again."
Implementing rate-limiting would have prevented any hackers from brute-forcing their way into the celebrities' accounts, said Soltani. While rate-limiting is common on many Web sites, the practice hasn't grown into a semi-official doctrine in the same way that two-step verification has. (That security feature challenges users to type in a special code from a text message or phone call as a way to thwart hackers who have access only to a username and password but not the legitimate account holder's cellphone.)
Finding an alternative to security questions altogether would bolster security further, according to Soltani.
Poor password reset questions are "a notoriously bad way to protect your account," he said, "especially for celebrities. Your pet's name and the high school you went to? Those are easy questions."
Developing the next security technology after password reset questions is more of a long-term endeavor. But saying there's nothing wrong with iCloud and suggesting some users use weak passwords is a little surprising when there is at least one thing Apple could change right now.