Apple Aware of iCloud Brute Force Vulnerability Six Months Before Celebrity Photo Hacks

A report by The Daily Dot claims Apple knew about a brute force security vulnerability in their iCloud service six month before it was used to hack numerous celebrities’ accounts on the service. The company’s security team had been notified of the flaw in emails from independent security researcher Ibrahim Balic.

Click to Enlarge

MacRumors:

In an email from March 2014, Balic told Apple that he was able to bypass the security of any iCloud account by using a “brute-force” hacking method that was able to try over 20,000 password combinations. Balic recommended to Apple that it should implement a feature in iCloud that prevents log-ins after a set number of failed attempts, and even reported the exploit through Apple’s Bug Reporter. Balic was also the developer said to be behind the extended outage of Apple’s Dev Center last year.

May 2014 saw Apple email Balic, questioning the validity of the exploit, as it “would take an extraordinarily long time” to find a valid authentication token to get into an iCloud account using the flaw. Balic says Apple continued to quiz him about the exploit, and how it could be used. (Balic also informed Apple about the vulnerability via Apple’s online bug submission platform.)

September 1, 2014: Hackers, reportedly using a Python script that utilized the brute force method Balic warned Apple about, accessed the iCloud accounts of several well-known celebrities, downloading private photos and videos.

Apple announced later in the day that it was investigating the security breach, which ultimately led to comments from company CEO Tim Cook, also with new security measures in an attempt to prevent future hacks. Those measures included automatic emails sent to users when their iCloud account is accessed via web browser, automatic two-factor authentication for iCloud.com, and required app-specific passwords for any third-party apps that access iCloud.

Chris Hauk

Chris is a Senior Editor at Mactrast. He lives somewhere in the deep Southern part of America, and yes, he has to pump in both sunshine and the Internet.