New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

Apple Reportedly Aware of iCloud Flaw Six Months Before Hacking of Celebrity Accounts

icloud_icon_blue Apple knew about an iCloud security flaw six months before it was utilized to hack celebrity accounts on the service, reports The Daily Dot. The company was notified of the exploit by independent security researcher Ibrahim Balic, who shared emails between himself and members of Apple's product security team.

In an email from March 2014, Balic told Apple that he was able to bypass the security of any iCloud account by using a "brute-force" hacking method that was able to try over 20,000 password combinations. Balic recommended to Apple that it should implement a feature in iCloud that prevents log-ins after a set number of failed attempts, and even reported the exploit through Apple's Bug Reporter. Balic was also the developer said to be behind the extended outage of Apple's Dev Center last year.

In May 2014, Apple emailed Balic and questioned the validity of the exploit, stating that it "would take an extraordinarily long time" to find a valid authentication token to get into an iCloud account using the flaw. Balic states that Apple continued to ask him about the exploit and how it would be utilized.

On September 1, 2014, hackers breached the iCloud accounts of many well-known actresses, downloading and leaking private photos and videos. While it was not initially known what caused the breach, The Next Web linked to a Python script on Github that may have been used for the hacking. The script utilized a brute-force like method which allowed hackers to keep guessing passwords without being locked out.

Apple acknowledged later in the day that it was investigating the breach, ultimately leading to comments from CEO Tim Cook along with new security implementations. Those implementations included automatic emails when iCloud accounts are accessed via web browsers, automatic two-factor authentication for iCloud.com, and mandatory app-specific passwords for third-party apps accessing iCloud.


Top Rated Comments

(View all)

22 months ago
It's all going rather brilliantly at the moment isn't it.
Rating: 81 Votes
22 months ago
I'm waiting or the not Apple's fault crowd.

I love apple products, the culture, heck I love everything about apple EXCEPT the excuses made for them. Apple prides itself on excellence. Until they no longer make quality and excellence a selling point their customers need to demand it and call them out when they under perform.

Making excuses for mistakes & sloppy work will not help Apple.
Rating: 32 Votes
22 months ago
Wow, more good news for apple. They're really hitting their stride with bad press lately.

Bending phone
iOS 8.01 bug that should not have been rolled out
iCloud security issues that should have been addressed sooner.
Rating: 31 Votes
22 months ago
Geeze, when it rains (bad news) it pours.
Rating: 26 Votes
22 months ago
Not surprising considering Apple fumbles their core tasks such as putting out maintenance release without properly testing them.
Rating: 19 Votes
22 months ago
LOL, apple realy is on a roll lately. Leaked pics, great keyonte stream, bend gate, ios8 and 8.0.1.
Bravo, well deserver Thanksgiving break ;).
Rating: 19 Votes
22 months ago
Surely wouldn't trust them with Apple pay now, imagine your credit card information stolen. :rolleyes:
Rating: 19 Votes
22 months ago
This was a targeted phishing exercise over the course of months if not years.

Email accounts etc from many different services were hit, there was no 'hacking' that occured.

Could Apple have had alerts in place telling people accounts we're being accessed from the start - for sure. But weak passwords and weak answers to security questions when you're in the public eye won't ever stop someone gaining access to your account.

It's a shame that not only have the victims of the leaks been blamed for ever having personal things - irregardless of where they're shared, but that only Apple seems to be singled out as being 'hacked'. The latest leak of Kim Kardashian (Checked, for science) clearly shows her taking photos on a Blackberry - do Blackberries sync to iCloud? And yet blackberry are very well known for their security chops, but I haven't seen a single article talking about Blackberry being 'hacked'... Why? Because no one really cares about Blackberry, it's not good news to create a story about kicking a dead dog.
Rating: 17 Votes
22 months ago

Now, the iCloud security issues are indeed worrying if Apple knew about them 6 months before. Most people use rather weak passwords such as Password123, but still that's not excuse for ignoring a reported security flaw..


If your password is Password123, any loss of data is really self inflicted and you have nobody to blame.
Rating: 13 Votes
22 months ago

Bentgate isn't really an issue, I think... I mean, if you apply lots of pressure to an aluminium phone, it will bend. That's not an issue, it's just physics. It's like all the drop tests: if you drop a glass item on the floor several times, the odds are it will break.

I still fail to see why this is an issue, but then again most people nowadays lack common sense.


It depends how easily it bends. Most phones can be bent when there's enough force and that's acceptable. However, if the phone bends in totally normal use conditions, then that's an issue.
Rating: 12 Votes

[ Read All Comments ]