CloudSecurity

Apple might face the ire of several celebrities whose personal photographs were stolen and published over the weekend. In the latest example of the company’s irresponsible security practices, the images — at least those that haven’t been called forgeries by several celebrities and their spokespersons — are thought to have been taken from their subjects’ iCloud accounts.

Now, it’s clear that most of the blame should fall on the person who decided to violate the only shred of privacy that these celebrities had left, and on those who shared the images afterwards. This would never have been an issue if this person didn’t believe that personal photographs of people who happen to be famous should be stolen, skimmed through, and released to the Web.

But it seems that Apple will share in the blame, as the leak was followed by the revelation that before Sunday the company didn’t prevent brute force attacks, which gain access to accounts by submitting random passwords until the right one is found, from working on the iCloud website.

This isn’t the first time Apple has failed to take basic steps to protect consumer privacy. It also failed to implement a standard security tool in its mobile and desktop operating systems — an oversight I covered in February, when the glaring vulnerability was first revealed to the public:

The revelation demonstrates the ease with which digital security can be undermined — and the extent to which consumers are kept ignorant of significant problems with “secure” tools.

This vulnerability wasn’t caused by an attempt to create some breakthrough security tool; it was caused by a faulty implementation of a decades-old industry standard. That ineptitude has compromised the communications of hundreds of millions of consumers around the world. Yet this is the company entrusted with our credit card information, addresses, and thumbprints.

It then tried to prevent consumers from realizing the full extent of the problem by keeping any mention of its fix from update logs and using language that most consumers don’t understand:

Johns Hopkins University cryptography professor Matthew Green had no difficulty explaining the extent of the problem. “It’s as bad as you could imagine,” he told Reuters. “That’s all I can say.” That’s much clearer than Apple’s explanation, which said that “an attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS.”

It gets worse. The update to Apple’s desktop computers and laptops doesn’t mention the vulnerability at the top of its list of changes made to the operating system. Users must scroll past fixes to non-critical problems to learn that the update “provides a fix for SSL connection verification.” (Slate notes that most consumers probably won’t even bother to read the entire list of changes and simply install the latest update without question.)

Preventing brute force attacks is one of the most basic security features that can be included in a modern website. It’s right up there with “require a password” on the great checklist detailing how not to ruin the lives of consumers who trust your product to keep things private. Apple has fixed the problem now, but for the celebrities affected by this leak it’s already too little, too late.

All of which means that the last year has shown Apple’s inability to implement basic security features that would help protect the privacy of millions of people, its unwillingness to own the mistakes when they’re revealed to the public, and its continued apathy towards security tools. Apple hasn’t encouraged people to grossly violate the privacy of others, but its lackadaisical and irresponsible approach to security certainly hasn’t done much to deter those hackers, either.

 [Image via FutUndBeidl on Flickr]