Apple knew of iCloud security hole 6 months before Celebgate

[swatkats]

Apple knew as early as March 2014 of a security hole that left the personal data of iCloud users vulnerable, according to leaked emails between the company and a noted security researcher.

The emails, obtained earlier this month by the Daily Dot and reviewed by multiple security experts, show Ibrahim Balic, a London-based software developer, informing Apple of a method he’d discovered for infiltrating iCloud accounts.

The strength of Apple’s security came under fire earlier this month after hundreds of celebrity nude photos, allegedly stolen from iCloud servers, flooded the Internet. While the exploit Balic says he reported to Apple shares a stark resemblance to the exploit allegedly used in the so-called "Celebgate" hack, it is currently unclear if they are the same vulnerability.

In an email dated May 6, 2014, the reported vulnerability apparently remains unfixed, as an Apple official continues to question Balic over the details of his discovery.
“I believe the issue was not completely solved. They kept asking me to show them more stuff,” Balic told the Daily Dot.

Source: http://www.dailydot.com/technology/apple-icloud-brute-force-attack-march/


Oh yeah forgot to say, Apple takes security seriously my foot .

 

[avi]

From that very article: "It is currently unclear if they are the same vulnerability." Okay…

 

[Spacescreamer]

The way they came up with: 'It was a targeted attack'

It was like deja vu all again with their excuses. Ofc it was a targeted attack. When you have email ids pertaining to people, it has to be a targeted attack. The credentials are not gonna fall from the.. clouds, apple!

King of ambiguity, and utterly disappointing.
Infact, if apple had to design a super hero: iRunawayfromresponsibilities Man.

 

[Lord Nemesis]

^^ You are underestimating Apple. Just look at their Antenna gate fiasco. It was pretty clear that they knew about the issue before release (Wouldn't be half surprised if the problem itself was intentional). What do they do? They try to exploit this as an opportunity and were ready with $30 rubber bands to sell to the buyers. It was not a solution for damage control. They were ready with those things by the time they launched. God knows how much they would have been sold at had it not been blown so quickly into the open. They don't do super hero's. You ask them to do super villains and they won't disappoint.

In this particular case, I don't think that the leak and the security issues from this particular guy may be related. There is no guarantee.

Apple does get a lot of security vulnerabilities and bugs reported to them. That is a given for any software. Its not like this analyst reported the only issues in the system. I also know from personal experience that they often deny, ignore and generally sit on issues for days, months or even years if they can get away with it. They can afford to not care. Any publicity is good publicity for them. So a little bad PR because of an unfixed issue would not cause them any harm.

Looking at the timing of the celeb leaks, its a time they wanted to get into the lime light just before the big launch and as I said, it doesn't matter for them whether its positive or negative. There is no damage control involved because they can easily tilt the blame of to the victims. How easy would it be for them to facilitate a leak. They can do it in any number of ways and not get caught.

When a company like Sony or Microsoft have data leaked of their systems, even if its not due to negligence, they would get lambasted and sued by their users. When something similar happens at Apple, their fans would rush to defend them. Even if the victims are die hard fanbois till that time, the moment they protest against Apple, they would be alienated in a jiffy and they would get kicked to oblivion by the rest. The victim would be the one held responsible and shamed. That's how Apple ecosystem works.

 

[Spacescreamer]

^ Yea. Did read about the high handedness and the 'how dare you' attitude of apple inc quite a few times.

The incident about how a programmer was blacklisted by them just cuz he discussed an iOS flaw on his website. The glitch was making his app crash and he only mentioned on the site to discuss and make other devs aware of the situation.

I did gave this angle a thought as well, about the leaks coming from their camp to get that extra bit of limelight before their big launch. Afterall, they were ditching their BS line of 'our labs/research found out the perfect screen size'. But then i dismissed it as the repercussion would have been huge IF their complicity got out.

I couldnt have labelled a villian as iRunawayfromresp, as that would have been his ideal power .. no fun there in that case