In a recent interview with Charlie Rose on PBS, Apple CEO Tim Cook said that the iCloud breach that leaked private celebrity photos wasn’t necessarily a security flaw on Apple’s side, but rather the result of a targeted phishing scheme. The company has since activated two-factor authentication to help boost the security of iCloud, but one developer says he informed Apple about the vulnerability as long as six months before the attack took place.
The Daily Dot received an email from Ibrahim Balic, a well-known security expert who, as 9to5Mac notes, has alerted Apple to previous holes in the past. “I found a new issue,” his note reads.” By this brute force attack method I can try over 20,000+ times passwords on any accounts. I think account lockout policy should be applied,” he said in an e-maito Apple on March 26, which was obtained by The Daily Dot.
Balic received a response from Apple security that said “it would take an extraordinarily long time to find a valid authentication token for an account,” which suggests Apple believed it wasn’t possible for hackers to flood the site with password guesses until one matched. Except, that’s exactly what happened and what led to the breach.
Balic, which said that he himself was able to test 20,474 password combinations on a single account, argued that Apple didn’t take his claims seriously enough to address the bug before iCloud was eventually hacked using the same method he alerted security about. As a result, hundreds of celebrity photos were spilled to the public, creating mistrust in Apple’s iCloud security that Cook eventually had to address in a public letter to consumers.
A few e-mails between Apple and Ibrahim are included below.