Steve Jobs
iCloud, introduced by former Apple CEO Steve Jobs in 2011, is said to have been compromised to steal hundreds of leaked nude photos of celebrities. Reuters

Apple is looking into claims that hackers stole private pictures from dozens of celebrities using a vulnerability in its iCloud service.

On Sunday hundreds of images said to have been stolen from celebrities' iCloud accounts were leaked online and within hours were spread around the internet on websites like Twitter, Reddit and Imgur.

The person who leaked the images - initially on image board 4Chan - claimed they were stolen after gaining access to the iCloud accounts associated with the victim's phones.

In a short statement responding to the claims late on Monday, Apple said: "We take user privacy very seriously and are actively investigating this report."

If enabled, Apple's iCloud automatically stores iPhone users photos and video in the cloud as a back-up measure, with many people unaware that this is happening.

FBI addressing the matter

Jennifer Lawrence
Getty

There is so far no conclusive proof that the images were accessed through Apple's cloud storage service though it is the only explanation being given so far.

The FBI is said to be also involved in the investigation with spokeswoman Laura Eimiller tlling the Los Angeles Times:

"The FBI is aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter," adding that "any further comment would be inappropriate at this time."

Brute force

While there has been no conclusive proof of an iCloud attack, a posting on code-sharing site GitHub on Saturday indicated one way in which the service could have been used to access the photos.

The script, written in Phyton code by mobile security firm HackApp, would allow someone to automatically test a huge number of passwords on Apple's Find My iPhone API, a technique known as a brute force attack.

Apple has reportedly now patched this vulnerability in its software so this particular attack method may no longer be valid, but as we reported yesterday, it looks like the huge trove of stolen photos was circulating the internet for at least a few weeks before being leaked on Sunday.

In order to carry out such a brute force attack the attacker would also require the email address associated with the victim's account.

Jennifer Lawrence has confirmed the stolen photos were real calling the theft and subsequent posting online a "flagrant violation of privacy" adding that she had informed the authorities.

Another celebrity caught up in the leaks is actress Mary E. Winstead who said the leaked photos were taken over a year ago at her home:

"Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this," she said on Twitter.