icloud hero

A string of bad news for Apple continues with a revelation published Thursday on The Daily Dot that London-based computer security expert Ibrahim Balic gave Apple a heads-up about a vulnerability he had discovered in iCloud, but the company discounted the severity of the issue and ignore the problem for six months.

As you know, the issue blew up in a major way, becoming the topic of late-night shows, after several celebrities with weak Apple ID passwords saw their nude photographs hijacked and posted on the web.

Balic reportedly cautioned Apple back in March that he had been able to use some 20,000 passwords against specific iCloud accounts. It would seem that his warnings either fell on def ear with Apple’s engineers who manage security or at least his emails were never escalated up the corporate ladder to become a priority.

“Using the information that you provided, it appears that it would take an extraordinarily long time to find a valid authentication token for an account,” an Apple engineer wrote back to Balic. “Do you believe that you have a method for accessing an account in a reasonably short amount of time?”

Balic, who provided copies of his correspondence with Apple, is not so sure that the iPhone maker has addressed the iCloud vulnerability to this date. We actually don’t know whether or not the iCloud vulnerability Balic discovered is related to the brute-force attack that had been used on celebrities’ Apple IDs.

Ibrahim Balic (iCloud nude celeb pics 001)

Hackers who leaked nude pics are thought to have used the iBrute tool to launch a brute-force attack on the Find My iPhone services, which at the time did not lock out users after multiple failed attempts to guess the password (Apple has since rectified this obvious oversight).

Ibrahim Balic (iCloud nude celeb pics 002)

Apple itself said in a statement that the breach was the result of a “targeted attack” which benefited from the victim’s weak Apple ID password and the fact that they did not protect their account with two-step verification.

The Cupertino firm recently expanded the use of two-step verification to further protect iCloud accounts in the aftermath of the scandal.

Apple ID two-step verification in Netherlands

The opt-in feature boosts you security by requiring you to enter a four-digit code sent by text message or pushed to your device each time you log in to your Apple ID account on the web, to iCloud.com or try to use a new device authorized with the same Apple ID/iCloud account.

You are wholeheartedly encouraged to enable two-step verification for your Apple ID by following our handy tutorial.

[The Daily Dot]

  • Gerardo Castro

    Thanks Apple.

  • Cristian Bustillo

    Everyone forgot about the nude leaks after the iP6 came out lol

    • jack

      … leaks on pics taken before iP6 came out

    • Marcus

      There were more leaks last weekend which was after the release of the iPhone 6…

  • George

    Wow just bad news after bad news

  • Hugh Jassol

    If true, typical arrogance on Apple’s part. Even after the photo leaks, they just so happen to secretly fix a find my iphone vulnerability but then have the gaul to blame users for using weak passwords rather than acknowledging their negligence in the first place. Just typical.

    BTW, I’m not saying that the fmi vulnerability was used to access those leaks and of course people should use stronger passwords & 2 step verification BUT this doesn’t negate the fact Apple left these vulnerabilities open yet they continue to blame the end user for “not doing it right”. Responsibility should go both ways.

    Apple is always passing the buck onto the user, figuratively and literally.

    • The thing is brute forcing a password shouldn’t be a vulnerability. Yes Apple shouldn’t have allowed the brute forcing of passwords but as you’ve rightfully said if you were using strong passwords and two-step verification there is no chance brute forcing your account would be possible. In short it’s only a vulnerability after an insane amount of time passes or if you have weak passwords but yes Apple should have patched this but I don’t for one moment think that six months is an unreasonable amount of time before patching such a small and insignificant vulnerability.

    • Gary LE

      If Apple said they used a weak password then that means they know what the user’s password is. Now why would they say so if they dont know the password

  • iDB fan

    Did you notice in the text the user also found out the same issue with Google. Isn’t it obvious that is (was?) not *only* an exclusive iCloud problem? Albeit iCloud had it’s counter part, this is something exploitable in far more systems with big impact beyond iCloud.

  • Typical Crapple move, ignore it until it makes headlines…