The software developer credited by Apple for discovering last year’s developer center flaw says that he informed Apple of an iCloud weakness that may have been used to obtain celebrity nudes more than six months before the photos were accessed.
The Daily Dot reports that Ibrahim Balic advised Apple in March of a Find My Phone weakness that would allow brute-force attacks on iCloud accounts. It has been suggested that this may have been one of the methods used to access the accounts – or even complete iPhone backups – of celebrities …
While Apple issued a statement that appeared at first glance to deny this vulnerability was used, some suggested that the wording used may have been carefully chosen.
In a March 26 email, Balic tells an Apple official that he’s successfully bypassed a security feature designed to prevent “brute-force” attacks—a method used by hackers to crack passwords by exhaustively trying thousands of key combinations. Typically, this kind of attack is defeated by limiting the number of times users can try to log in.
Balic goes on to explain to Apple that he was able to try over 20,000 passwords combinations on any account.
A number of emails were exchanged between Balic and Apple security. In an email dated May 6th, Apple did not appear to consider the vulnerability of concern, believing that it would take “an extraordinarily long time” to guess a password.
Apple responded to the leaked photos by promising security improvements, shortly afterwards notifying users of logins to iCloud and locking iOS devices with two-factor authentication as part of iOS 8.
