In theory this is meant to be one of the advantages of end to end encryption: no more "accidental" leakage of user data between users, leakage in logs, etc (remember Facebook's logging incident? [0]). as it's only available on end user devices. And if you look at Apple's documentation [1], they say that iCloud is end to end encrypted. This is obviously not accurate as Apple keeps decryption keys for themselves. But this issue is even worse: here, the end to end encryption was circumvented in such a bad way that this bug could surface.
This happened to me during a Google Takeout export when I was degoogling in late 2019. I recall going through some photos from the earlier 2010's and some random pictures of other people were popping up. About a month or so later I received an email from Google letting me know that some of my files may have been accidentally in other people's exports. Since then, I stopped using apps like Google Photos and cloud storage in general. If I do, my files will be encrypted before I upload them.
I'm not surprised at all. I've reported literal malware in the App Store, with disassembly of the binary, etc. to them and Apple's "security" team did nothing. The inaction wasn't the worst part, it was their complete disinterest and lack of communication.
Google is even worse, you can't contact a human. Their app reporting process insisted I create a Google account and report it from within Android's App Store if I expected them to take action. I have better things to do than jump through unnecessary hoops.
Imagine getting still frames of somebody else's bedroom photos or kinky selfies sent to a partner or something similar rendered into your own video.
This could be very much like the technical cloud-based version of the fictional Tyler Durden splicing dick pics into single frames of 35mm film movies.
Based on what people use phones for these days some sizable percentage of icloud synced photos have to be something you really wouldn't want to get out there to random other icloud users.
Holy heck this is a bad one. That response from the security team is completely unacceptable. I wonder if there's a way to force this to happen, e.g. by modifying the file contents directly.
Reminder: Photos and videos in iCloud are not end to end encrypted (just like your device backup that contains your iMessage "e2e" keys) and are always readable by Apple (and thus FBI et al).
Apple is required to hand over data without a search warrant over 30,000 times per year to US authorities.
This kind of bug is unacceptable for a supposedly private cloud service. I wonder how long the bug has been around and whether it is at all related to the recent roll out of iCloud Shared Photo Library.
We have diluted the popular usage terminology so it's meaningless. Everyone ascribes the property "encrypted" to their service but you can't tell from that if they are just storing the key and the data next to each other in the database, or doing the equivalent with extra steps.
The important and hard part in crypto is key management, but that's considered too complicated a concept to explain to users.
They can't even consider encrypting them, since they are forced to scan for CSAM and the public overwhelmingly rejected on-device scanning. So their server needs access to the images.
Anyone else think the "scanlines" in the video are not scanlines but actually data of some sort? They seem to have white/black bits. Suggesting it might be some sort of data the video codec displays that way.
In a world of containers and micro services, I do not understand why we cannot have independent databases and buckets per user, specially if we are talking about sensitive data.
There is absolutely no proof that these are images from other peoples iCloud accounts.
Assuming these are even from iCloud in the first place, they could have been their version of "stock photos".
Assuming these are from iCloud, could have been the user's previous deleted photos. Could also just be photos on their windows computer. So many options. Going straight for the most unlikely scenario is strange, and seems like people have an agenda.
Stock photos had crossed my mind as a possibility as well, but I'd say it's unlikely to be previously deleted photos or from their Windows computer if they're seeing photos of kids they don't know.
I get the feeling that the folks working on the Windows/Android team at Apple are not highly regarded - get the sense of "folks working in the basement" - you can see it by the lackluster stuff they ship.
As a Windows/Android developer, you probably don't apply at Apple for a job, and as an Apple employee you're probably not too enamored with developing for Windows/Android.
All US operated websites are technically illegal in EU (due to the CLOUD Act). Practically, they are still used en masse. In theory the next iteration of the Privacy Shield (or whatever name they are going to give it this time around) and which EU-US should sign sometime next year should reconcile in some way the existing privacy issues where EU residents personal data does not have adequate privacy protection once it's touched by a US company.
I had another issue with iCloud and photo syncing being abysmally slow, and I ended up digging through LinkedIn and I found the director of engineering for photos at Apple. I messaged that person through LinkedIn, and ended up getting some very senior tech support people who helped go through my issues with me. I hesitate to post contact info, but just saying... it's possible if you are polite and can clearly articulate the issue to get someone like that to help really escalate the support.
[+] [-] est31|3 years ago|reply
[0]: https://krebsonsecurity.com/2019/03/facebook-stored-hundreds...
[1]: https://support.apple.com/en-us/HT202303
[+] [-] sneak|3 years ago|reply
https://support.apple.com/en-us/HT202303
https://www.reuters.com/article/us-apple-fbi-icloud-exclusiv...
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] extr0pian|3 years ago|reply
Here's the original story: https://9to5google.com/2020/02/03/google-photos-video-strang...
[+] [-] ilikehurdles|3 years ago|reply
[+] [-] greasyfullfryup|3 years ago|reply
Google is even worse, you can't contact a human. Their app reporting process insisted I create a Google account and report it from within Android's App Store if I expected them to take action. I have better things to do than jump through unnecessary hoops.
[+] [-] walrus01|3 years ago|reply
This could be very much like the technical cloud-based version of the fictional Tyler Durden splicing dick pics into single frames of 35mm film movies.
Based on what people use phones for these days some sizable percentage of icloud synced photos have to be something you really wouldn't want to get out there to random other icloud users.
[+] [-] lovehashbrowns|3 years ago|reply
[+] [-] sneak|3 years ago|reply
Apple is required to hand over data without a search warrant over 30,000 times per year to US authorities.
https://www.reuters.com/article/us-apple-fbi-icloud-exclusiv...
[+] [-] kls0e|3 years ago|reply
[+] [-] astrange|3 years ago|reply
[+] [-] Jerrrry|3 years ago|reply
A glitch is just an exploit that just hasn't been sufficiently documented.
[+] [-] divbzero|3 years ago|reply
https://support.apple.com/guide/icloud-windows/use-icloud-sh...
[+] [-] Kibae|3 years ago|reply
[+] [-] Bilal_io|3 years ago|reply
[+] [-] fulafel|3 years ago|reply
The important and hard part in crypto is key management, but that's considered too complicated a concept to explain to users.
[+] [-] benhurmarcel|3 years ago|reply
[+] [-] MBCook|3 years ago|reply
When they tried to encrypt photos end-to-end much of HN (and others) flipped out and raised such a fuss they gave up.
[+] [-] jeroenhd|3 years ago|reply
That said, the option should at least be available to those who know the benefits and accept the risks.
[+] [-] goosedragons|3 years ago|reply
[+] [-] quyleanh|3 years ago|reply
I'm currently using Onedrive (with Office 365) as my main data backup...
[+] [-] plantain|3 years ago|reply
https://www.macrumors.com/2021/06/29/icloud-data-stored-on-g...
[+] [-] whatever1|3 years ago|reply
[+] [-] tyingq|3 years ago|reply
[+] [-] jjtheblunt|3 years ago|reply
[+] [-] nhinck2|3 years ago|reply
[+] [-] languageserver|3 years ago|reply
Assuming these are even from iCloud in the first place, they could have been their version of "stock photos".
Assuming these are from iCloud, could have been the user's previous deleted photos. Could also just be photos on their windows computer. So many options. Going straight for the most unlikely scenario is strange, and seems like people have an agenda.
[+] [-] Aaron2222|3 years ago|reply
[+] [-] StanislavPetrov|3 years ago|reply
[+] [-] tibbydudeza|3 years ago|reply
[+] [-] layer8|3 years ago|reply
[+] [-] 6510|3 years ago|reply
[+] [-] mhitza|3 years ago|reply
[+] [-] kylehotchkiss|3 years ago|reply
[+] [-] s1mon|3 years ago|reply