Apple has officially acknowledged a concerted attempt to hack into its iCloud servers this week, reassuring users that no breach took place. However, users who ignored a security warning may be compromised.
The organised incursion against Apple’s iCloud servers took place on Monday, with an eavesdropping attack known in the security world as a MITMA (or man-in-the-middle-attack), which is designed to lull users into inputting their information into a fake login page, which then feeds back to the attackers.
The attempted attack has been attributed to Chinese hackers backed by the government. Great Fire, an official online watchdog set up to monitor online censorship in the Middle Kingdom, has voiced concerns on the matter. It claims that any users who ignored a security certificate error and logged in to iCloud from Safari running on Mac OSX, should now expect their information to be in the hands of “the Chinese authorities”. Thankfully, iOS users appear to be unaffected, as well as users who have already upgraded to Yosemite.
Great Fire’s concerns have been echoed by leading security researchers. Those same Chinese authorities, however, have resolutely denied any wrong doing.
Apple has publically addressed the attempted incursion and posted advice to its support pages, designed to offer users reassurance and instructions on how to best insulate themselves from the attack.
“Apple is deeply committed to protecting our customers’ privacy and security. We’re aware of intermittent organized network attacks using insecure certificates to obtain user information, and we take this very seriously. These attacks don’t compromise iCloud servers, and they don’t impact iCloud sign-in on iOS devices or Macs running OS X Yosemite using the Safari browser,” the company wrote.
It went on, “The iCloud website is protected with a digital certificate. If users get an invalid certificate warning in their browser while visiting www.icloud.com, they should pay attention to the warning and not proceed. Users should never enter their Apple ID or password into a website that presents a certificate warning. To verify that they are connected to the authentic iCloud website, users can check the contents of the digital certificate…for Safari, Chrome, and Firefox—each of which provides both certificate information and warnings.”