A London-based software developer claims to have discovered a security glitch in Apple's sign-in systems that may have been used to access data on users' iCloud accounts. The Daily Dot obtained emails between Ibrahim Balic and Apple, dated as early as March 2014, in which he informs the company that he was able to bypass a security feature designed to prevent hackers from trying thousands of password combinations. These so-called "brute-force" attacks are normally thwarted by limiting the number of times one can try to log in, but Balic was able to exploit it.
Balic first emailed Apple on March 26, telling someone named Scott that he "found a new issue regarding on Apple accounts," adding that "by this brute force attack method I can tray over 20,000+ times passwords on any accounts." He said he found the same security hole in Google and that they responded to his report. An email from May 6 indicated that that the vulnerability had not been fixed.
Apple did not immediately respond to a request from Billboard for comment on the Daily Dot's report.
Of course Balic's discovery predates the still-raging Celebgate scandal, in which numerous celebrities have had their personal photos stolen from their accounts and then publicized on sites like 4Chan and Reddit. In a statement last month, Apple said its engineers determined that celeb accounts were hacked in "targeted" attacks on their user names, passwords and security questions. The company seemed to deny the attack could be the result of the kind of systemic loophole described by Balic in earlier, then-private emails. "None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone," it said.
The FBI is investigating the Celebgate leaks, which continued on Saturday (Sept. 20) with the emergence of naked pics featuring actresses Jennifer Lawrence and Vanessa Hudgens, and reality star Kim Kardashian, among others. The first wave of stolen photos included Kate Upton, Kirsten Dunst, Selena Gomez and others.
Balic has flagged potential vulnerabilities in Apple's security before, and in June 2013 he informed the company of a flaw in their Apple Developer Center. The site was immediately taken down and he was later acknowledged by the company for his discovery.