Apple informed of iCloud security flaw months before celebrity nude photo hack, claims report

Leaked emails between security researcher and Apple employees discuss hacking methods that may have been used in the leaks earlier this month

James Vincent
Thursday 25 September 2014 22:54 BST
Comments
Jennifer Lawrence at the Vanity Fair Academy Awards party in February 2014
Jennifer Lawrence at the Vanity Fair Academy Awards party in February 2014

Leaked emails apparently show that Apple was aware of security flaws in its iCloud system months before hundreds of celebrities’ nude photographs were stolen from their personal accounts and posted online.

The emails, published by the Daily Dot, show conversations between London-based security researcher Ibrahim Balic and Apple employees, with Mr Balic reporting that he had found a way around Apple’s iCloud security to carry out ‘brute force’ attacks on accounts.

This method relies on simply guessing large number of passwords using automated software. Although the exact method used in the celebrity hacks is unknown, security experts have suggested that brute force methods were used alongside more targeted ‘phishing’ attacks (tricking users into entering the credentials into fake sites).

Mr Balic first emailed Apple in March and was still being questioned by Apple security on May 6th. Although the full cache of emails has not been released to the general public, the Daily Dot reports that at this point the “vulnerability apparently remains unfixed”.

The email from the Apple Product security suggests that the company was interested in finding out more details about the flaw: “Hello Ibrahim, Using the information that you provided, it appears that it would take an extraordinarily long time to find a valid authentication token for an account. Do you believe that you have a method for accessing an account in a reasonably short amount of time?”

A similar flaw was highlighted by tech site The Next Web following the publication of the private photographs belonging to celebrities including Jennifer Lawrence, Kate Upton and Ariana Grande. This was quietly patched by Apple with the company denying it was linked to celebrity hackings.

Apple later acknowledged that is accounts had been “compromised” but asserted that the fault lay with users’ security practices rather than Apple’s own encryption.

“None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone,” said the company on September 1. “We are continuing to work with law enforcement to help identify the criminals involved."

This response was criticized by tech experts who responded that Apple had a duty of care for its customers, and that tech companies in general should not suppose that the average user is aware of security best practice and account for this in their systems.

Apple seems to have apparently taken this message to heart, with CEO Tim Cook reiterating the company’s commitment to privacy in interviews following the launch of the iPhone 6 and iPhone 6 Plus.

However, if these recently published emails prove to be legitimate, then it seems that Apple may have some explaining do regarding its treatment of reported flaws. Mr Balic certainly thinks so, telling the Daily Dot: “If Apple had taken this issue more seriously, perhaps such a problem would not have arisen.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in