In early September, a massive breach resulted in the leak of several celebrity photos in compromising and personal positions. The photos were attributed to iCloud accounts from which the photos had been ascertained. Now, a new report has surfaced stating that Apple was made aware of the method used to access the photos six months before they were leaked online.
In a report published by The Daily Dot late Wednesday, September 24, an independent security researcher, Ibrahim Balic, reportedly got in touch with Apple six months before the massive security breach, and informed the Cupertino-based company of a “brute-force” method that allowed him access to any iCloud account he desired. The method involved trying over 20,000 password combinations, without any hindrance of a “you have this many log-in attempts remaining.”
In March, 2014, Balic reportedly got in touch with Apple regarding the security breach, and he has even shared some of the email correspondence he had with Apple’s product security team. According to Balic, he recommended to Apple that they initiate parameters for iCloud accounts to be locked out if an individual tries to access them, and fails, after a set number of attempts. Balic even reported the issue through Apple’s Bug Reporter. Balic was the person reportedly behind the extended Developer Center outage in mid-2013.
Apple replied to Balic in May of 2014, asking the security researcher for further details, but outlining in their response that it “would take an extraordinary long time” to locate a valid authentication token and access an iCloud account using the brute-force method outlined by Balic. It wouldn’t be until September 1 that the leaked photos of several celebrities surfaced on social networking site, 4chan, and was almost immediately attributed to iCloud. Apple would soon comment, saying it was a “very targeted attack,” while also denying any iCloud breach.
As a result of this, security for Apple products has indeed stepped up. Apple now sends out emails to users when their iCloud account is accessed via the web, and two-step authentication has also been implemented for iCloud.com. More than that, though, Apple has stated their focus on security moving forward on more than one occasion.[via The Daily Dot]