A software developer is accusing Apple of brushing off a serious iCloud security flaw that he alerted the company to six months before the recent iCloud hack celebrity nude photo scandal.
The Daily Dot says Ibrahim Balic informed Apple that he found a way to hack into the iCloud back in March of this year, and just shared that email exchange with the Daily Dot. It's not clear if it's the exact flaw that gave the celebrity hacking ring access to private nude photos, though it was a brute-force attack, which points to the same type of vulnerability.
Perhaps more importantly, Balic is sharing his email correspondence with the company to make a point: that Apple should treat would-be white-hat hackers who point out bugs seriously.
Balic was able to unlock accounts by trying up to 20,000 different passwords on each one. When Apple responded in May, the company asked Balic for additional information about his methods but did not tell him if the flaw would be corrected.
Balic told the Daily Dot he believed the flaw had not been patched up during the correspondence, leaving iCloud users vulnerable:
The reported vulnerability apparently remains unfixed, as an Apple official continues to question Balic over the details of his discovery.
I contacted Apple to confirm or deny that the emails are authentic, and asked for an explanation about the way the exchange was handled. I have not received a response.
Again, this particular security hole Balic flagged might have little to do with the iCloud hacking scandal. While brute-force attacks have been floated as the main cause of that breach, the vulnerability Balic spotted could be a wholly unrelated iCloud security problem, which is also disturbing.
Either way, brute-force attacks like the one Balic carried out should be something Apple cares about, and if the company did dismiss a legitimate warning, it raises some concern that future tips discovered by white-hat hackers would also be dismissed. Especially when those breaches could have been prevented if, say, Apple had a bug bounty programme like Google, Facebook, Twitter and several other tech companies do.
Tim Cook has been doing the interview rounds insisting that Apple is rethinking security, and the company has introduced beefed-up privacy and security features including two-party authentication for iCloud. But it's discomforting to hear this kind of story coming from developers. Being devoted to product secrecy is one thing, but Apple may want to start giving a closer look at the warning signs coming from outside Cupertino.[Daily Dot]