Apple's widely used iMessage communications platform contains a currently unpatched flaw that allowed attackers to decrypt a photo stored on the company's iCloud backup system, according to an article published by The Washington Post.
The vulnerability was discovered by a team of researchers from Johns Hopkins University. According to the Post, the researchers were able to exploit the bug by mimicking an Apple server and then painstakingly chipping away at the encryption protecting the photo, which was sent as a link over iMessage. They eventually were able to obtain the encryption key used to protect the photo by guessing each of its underlying 64 digits in what's known as a brute-force attack.
The vulnerability came to light as the FBI is trying to force Apple to write software that defeats security features built into an iPhone used by one of the San Bernardino shooters. Apple, joined by many security and privacy advocates, has bitterly opposed the move and warned that such action can ultimately diminish the security of smartphones everywhere. This iMessage flaw is probably of little benefit to FBI in pulling data from the iPhone of San Bernardino shooter Syed Rizwan Farouk, who along with his wife took part in a shooting rampage that killed 14 people. Still, the bug underscores what security people have long known—cryptography is excruciatingly hard to get right, and common bugs often leave an opening for law enforcement agents and criminal hackers.