Apple plans to add safeguards to help address security vulnerabilities exploited by celebrity-photo hackers. But some security experts have criticized Apple's forthcoming changes as not going far enough, contending that they won't block related attacks.

Apple's move comes after attackers released online hundreds images stolen from more than 25 celebrities, which hackers obtained - at least in part - by accessing iCloud backups of the celebrities' iOS devices.

Attackers gained access to the iCloud backups by guessing users' security questions, thus allowing them to change targets' passwords to one of their own choosing; or by using phishing attacks to steal users' legitimate user IDs and passwords, Apple CEO Tim Cook tells The Wall Street Journal.

While Apple issued a Sept. 2 statement saying it was investigating "a very targeted attack on user names, passwords and security questions," Cook's interview represents the first time Apple has confirmed that stolen images were obtained from users' iCloud accounts.

Apple Previews Changes

In response to the celebrity photo hacking incident, Cook says Apple plans to make several security changes, including alerting users - using both e-mails and push notifications to devices - every time someone:

Changes an account password; Uses a new device to log into an account; Restores an iCloud backup to a new device.

After receiving a related alert, the user can immediately change their account password, or file a report of a suspected security breach with Apple. The company has yet to detail how exactly it will respond to those reports.

Previously, Apple sent an alert if an unknown device was used to change a password or log into an account for the first time. But it had no alerts in place for iCloud backups. Cook says the new changes are due to take effect within the next two weeks.

Ongoing Criticism

Apple has faced ongoing criticism for not having defenses in place that would have blocked attackers from stealing celebrities' nude photos.

U.S. Sen. John D. Rockefeller, D-W.V., who chairs the Senate Committee on Commerce, Science, and Transportation, has requested that Apple detail "security protocols in place for its cloud databases" to his staff. "Apple is expected to introduce a new version of its iPhone that will enable, if not encourage, users to store more information with its cloud services, and I want to learn whether these focused, targeted attacks are symptomatic of wider, systemic vulnerabilities," he says.

Haroon Meer says that he was part of a group of security researchers who highlighted the password-reset vulnerability against iCloud - then dubbed iDisk - in a presentation at the Def Con conference in 2009. "We also used universal XSS in iTunes/iCloud sync for a web based rootkit (that was fixed)," Meer says.

But in his Wall Street Journal interview, Cook attempted to deflect security criticism of Apple, in part by noting that the iPhone 5s features a biometric fingerprint sensor - although that does nothing to secure iCloud - and promising that iOS 8 will allow individuals to use two-factor authentication to restrict access to iCloud from a mobile device.

Cook also says Apple will better publicize its two-factor authentication system, which he admits few people now use. If the feature is activated, anyone who wants to access an iCloud account must input two of the following checks: a password, a four-digit one-time code, or a longer recovery key that gets generated the first time a user activates the two-factor authentication feature.

Adequate Steps?