Emails leaked Wednesday between a security researcher and Apple reveal the company knew about a security flaw in iCloud six months before the hack and leak of hundreds of celebrities’ nude photos from their Apple accounts earlier this month.
Emails obtained by the Daily Dot between London-based security researcher Ibrahim Balic and Apple show Balic warning the Silicon Valley giant about a successful hacking method he’d used to get around iCloud security meant to prevent “brute-force” cyberattacks.
Such attacks were used to access the iCloud accounts of celebrities including Jennifer Lawrence, Kate Upton, Kirsten Dunst and others by exploiting a flaw in Apple’s “Find My iPhone” app, which reportedly allowed the attacker(s) to try multiple passwords with a guessing tool before eventually stumbling across the right one. Conventional security logins lock a user out after a number of incorrect entries. (RELATED: Hackers Using Police Teach To Steal Nude Pics From Apple iCloud)
In an email to Apple dated March 26, Balic said he was able to attempt more than 20,000 password combinations on any account, and he wanted to notify Apple in the hope that the company would fix the problem. In addition to the email, Balic also submitted his discovery to Apple’s online bug submission page.
Someone from Apple responded to Balic on May 6 asking for more information about his discovery, and cast doubt on its potential to let hackers access accounts in a timely fashion.
“Using the information you provided, it appears that it would take an extraordinarily long time to find a valid authentication token for an account,” the Apple representative wrote. “Do you believe that you have a method for accessing an account in a reasonably short amount of time?”
Right after the pictures exploded all over the web along with their alleged source, Apple reportedly immediately patched the security flaw in “Find My iPhone,” while simultaneously denying iCloud had been hacked. In a company statement put out the week of the attack, Apple denied responsibility, asserting that the celebrities were specifically targeted in the attack that would have left any website vulnerable.
Despite the “Find My iPhone” patch and a new iCloud two-step authentication security update recently issued by Apple, the company continues to deny any responsibility for the hack. (RELATED: Apple Denies Responsibility For Celeb Photo Leak)
“If Apple had taken this issue more seriously, perhaps such a problem would not have arisen,” Balic said in the report.