A software developer is accusing Apple of brushing off a serious iCloud security flaw that he alerted the company to six months before the recent iCloud celebrity nude photo stealing scandal.
The Daily Dot says Ibrahim Balic informed Apple that he found a way to breach individual iCloud accounts back in March of this year, and just shared that email exchange with the Daily Dot. It's not clear if it's the exact flaw that gave the celebrity nude-theft ring access to private photos, though it was a brute-force attack, which points to the same type of vulnerability.
Perhaps more importantly, Balic is sharing his email correspondence with the company to make a point: that Apple should treat would-be white hat hackers who point out bugs seriously.
Balic was able to unlock accounts by trying up to 20,000 different passwords on each one. When Apple responded in May, the company asked Balic for additional information about his methods—but did not tell him if the flaw would be corrected.
Balic told the Daily Dot he believed the flaw had not been patched up during the correspondence, leaving iCloud users vulnerable to individual attacks:
The reported vulnerability apparently remains unfixed, as an Apple official continues to question Balic over the details of his discovery.
I contacted Apple to confirm or deny that the emails are authentic, and asked for an explanation about the way the exchange was handled. I have not received a response.
Again, this particular security hole Balic flagged might have shit-all to do with the iCloud scandal. While brute-force attacks have been floated as the main cause of that breach, the vulnerability Balic spotted could be a wholly unrelated iCloud security problem, which is also disturbing.
Either way, brute-force attacks like the one Balic carried out should be something Apple cares about, and if the company did dismiss a legitimate warning, it raises some concern that future tips discovered by white hat hackers would also be dismissed. Especially when those breaches could have been prevented if, say, Apple had a bug bounty program like Google, Facebook, Twitter and several other tech companies do.
Tim Cook has been making the interview rounds insisting that Apple is rethinking security, and the company has introduced beefed-up privacy and security features including two-party authentication for iCloud. But it's discomfiting to hear this kind of story coming from developers. Being devoted to product secrecy is one thing, but Apple may want to start giving a closer look at the warning signs coming from outside Cupertino. [Daily Dot]