The software developer credited by Apple for discovering last year’s developer center flaw says that he informed Apple of an iCloud weakness that may have been used to obtain celebrity nudes more than six months before the photos were accessed.
The Daily Dot reports that Ibrahim Balic advised Apple in March of a Find My Phone weakness that would allow brute-force attacks on iCloud accounts. It has been suggested that this may have been one of the methods used to access the accounts – or even complete iPhone backups – of celebrities …
In a March 26 email, Balic tells an Apple official that he’s successfully bypassed a security feature designed to prevent “brute-force” attacks—a method used by hackers to crack passwords by exhaustively trying thousands of key combinations. Typically, this kind of attack is defeated by limiting the number of times users can try to log in.
Balic goes on to explain to Apple that he was able to try over 20,000 passwords combinations on any account.
While Apple issued a statement that appeared at first glance to deny this vulnerability was used, some suggested that the wording used may have been carefully chosen.
A number of emails were exchanged between Balic and Apple security. In an email dated May 6th, Apple did not appear to consider the vulnerability of concern, believing that it would take “an extraordinarily long time” to guess a password.
Apple responded to the leaked photos by promising security improvements, shortly afterwards notifying users of logins to iCloud and locking iOS devices with two-factor authentication as part of iOS 8.
FTC: We use income earning auto affiliate links. More.
It will take a long time unless your password is password
https://www.youtube.com/watch?feature=player_embedded&v=fHhYe2KXF-M
It’s really not going too well for Apple at the moment is it? They need to buck their ideas up as they’re starting to become a laughing stock
Some of its deserved, a lot isn’t. Apple isn’t “informed” about something just because some guy emails some guy. Apple is a large company. I’ve sent in a lot of feedback, but it sure doesn’t mean they have read it and talked about it in their board meetings.
Maybe this will help them listen a little more… but I seriously doubt this guys email went very far and would certainly not consider someone informed officially just because an email was sent.
I think regardless of this person’s notification reaching the right ears, a company as large as Apple with all the data and services they have probably should by default have implemented a password lockout policy. That’s really a basic and fundamental defense against brute force attacks.
iOS 8 problems, iPhone 6 bending, no China launch date yet, iCloud leaks, streaming problems during Apple event, U2 album. Not so great news last weeks..
reg. U2, honestly, a minority of people is making a big fuzz about nothing and probably should care about other things… iOS 8.0.1 problems is def a screw up… The rest is more of a wait n see…
They are small things, but it all adds up. I overweighted Apple in my portfolio since 5 years now, but 2 days ago I sold much of my shares. I planned to do this in early 2015, because I don’t see where the growth for the iPhone 6S is coming from, but I don’t like the way things are going these days.
Niels I have a feeling you might regret that sale…
iPhone 6 bending?
You mean those three phones on twitter? Yes, three.
U2 album? The FREE U2 album? FUCK YOU !
The only real iOS 8 problems have been with iOS 8.0.1 that was pulled after a few hours.
iPhone 6 bending ? The fake nonsense childish and lame thing spread by competitors on the ‘net buying iPhone6 and 6Plus to crack them on purpose and prove that they crack ? Please!
iCloud leaks … the whole thing it’s so fishy.. there is still no proof of anything nor it’s known who is behind it… it really looks like an Hollywood driven marketing thing…
U2 album…people nowadays surely are full of drugs blaming Apple for a gift. And competitors bashing Apple for that are even more pathetic
True :)
uh oh.
If brute force Works, passwords are weak. Even celebs are idiots.
So all of your passwords are 32 characters long with a mixture of numbers, symbols and upper/lowercase letters, then? If not, shut up and accept that Apple messed up.
It doesn’t work like that. He wasn’t hacked. If you get hacked and your password is not significantly difficult then the issue is not Apple’s so long as they allow you to create difficult passwords. What makes you an adult is not necessarily age but the ability to reason and be accountable for your decisions.
Oh god, please spare me that “celebrities are irresponsible” bs rhetoric. Nobody is here to hear you spout about how much of an adult you think you are.
Brute force attacks try a lot of passwords until one works. How is it hard to understand that perhaps iCloud shouldn’t allow 20000+ incorrect password attempts?
Apple ID: email
Password; password
Why were my sex photos stolen! Where’s the media!
My 9 year old writes better than that guy. I wouldn’t take him serious either.
The guy is Turkish. Feel free to make a comment on this post in Turkish and we will see how you do with your grasp of a foreign language.
He’s also the same clown that caused an uproar over another faux security breach a while back and then started whining like a butthurt b*tch when Apple didn’t jump as high or fast as he thought they should.
Yes but does your 9 year old write as well in Turkish which is Ibrahim’s native language? The fact that he has written a sufficiently understandable letter in a second (or tertiary) language – should be commended
Does your 9 year old write better than that guy in a second language?
And I don’t take you serious”ly” either. You should probably bone up on grammar before criticizing others.
You may not take him seriously but It turns out Apple did.
Just check his his previous bug/security reports by searching “Ibrahim BALIC” in the Apple’s website below.
http://support.apple.com/kb/HT1318
if you have your password set to any of these: 1234567890,admin,password,hotgirl, then you need to have your head examined. cause these are the mostly common used passwords ever used
And again there was no brute force attack against iCloud. If there was it was not successful. So there maybe a vulnerability but it wasn’t used or attacked correctly to take advantage of it.
Thank you. The brute force attack runs through standard dictionary words and common passwords. iCloud requires you to have an upper case letter and number mixed in somewhere in your password. None of the brute force attacks I’ve seen can crack those passwords.
So the moderators here approve comments of people arguing about grammar, but a suggestion that your headline doesn’t accurately convey the content of the article isn’t allowed through? Nice.