Skip to main content

Apple aware of iCloud brute-force vulnerability six months before ‘Celebgate’

The software developer credited by Apple for discovering last year’s developer center flaw says that he informed Apple of an iCloud weakness that may have been used to obtain celebrity nudes more than six months before the photos were accessed.

The Daily Dot reports that Ibrahim Balic advised Apple in March of a Find My Phone weakness that would allow brute-force attacks on iCloud accounts. It has been suggested that this may have been one of the methods used to access the accounts – or even complete iPhone backups – of celebrities … 

In a March 26 email, Balic tells an Apple official that he’s successfully bypassed a security feature designed to prevent “brute-force” attacks—a method used by hackers to crack passwords by exhaustively trying thousands of key combinations. Typically, this kind of attack is defeated by limiting the number of times users can try to log in.

Balic goes on to explain to Apple that he was able to try over 20,000 passwords combinations on any account.

While Apple issued a statement that appeared at first glance to deny this vulnerability was used, some suggested that the wording used may have been carefully chosen.

A number of emails were exchanged between Balic and Apple security. In an email dated May 6th, Apple did not appear to consider the vulnerability of concern, believing that it would take “an extraordinarily long time” to guess a password.

Apple responded to the leaked photos by promising security improvements, shortly afterwards notifying users of logins to iCloud and locking iOS devices with two-factor authentication as part of iOS 8.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. johannwerner1860 - 10 years ago

    It will take a long time unless your password is password

  2. BlueLightAlarm - 10 years ago

    It’s really not going too well for Apple at the moment is it? They need to buck their ideas up as they’re starting to become a laughing stock

    • The Gnome (@gnomehole) - 10 years ago

      Some of its deserved, a lot isn’t. Apple isn’t “informed” about something just because some guy emails some guy. Apple is a large company. I’ve sent in a lot of feedback, but it sure doesn’t mean they have read it and talked about it in their board meetings.

      Maybe this will help them listen a little more… but I seriously doubt this guys email went very far and would certainly not consider someone informed officially just because an email was sent.

      • OneOkami (@OneOkami) - 10 years ago

        I think regardless of this person’s notification reaching the right ears, a company as large as Apple with all the data and services they have probably should by default have implemented a password lockout policy. That’s really a basic and fundamental defense against brute force attacks.

  3. Niels (@vbq31797) - 10 years ago

    iOS 8 problems, iPhone 6 bending, no China launch date yet, iCloud leaks, streaming problems during Apple event, U2 album. Not so great news last weeks..

    • Jeremie M. | LYMF (@lymf) - 10 years ago

      reg. U2, honestly, a minority of people is making a big fuzz about nothing and probably should care about other things… iOS 8.0.1 problems is def a screw up… The rest is more of a wait n see…

      • Niels (@vbq31797) - 10 years ago

        They are small things, but it all adds up. I overweighted Apple in my portfolio since 5 years now, but 2 days ago I sold much of my shares. I planned to do this in early 2015, because I don’t see where the growth for the iPhone 6S is coming from, but I don’t like the way things are going these days.

      • paulywalnuts23 - 10 years ago

        Niels I have a feeling you might regret that sale…

    • Alex (@Metascover) - 10 years ago

      iPhone 6 bending?
      You mean those three phones on twitter? Yes, three.

      U2 album? The FREE U2 album? FUCK YOU !

    • Jim Phong - 10 years ago

      The only real iOS 8 problems have been with iOS 8.0.1 that was pulled after a few hours.
      iPhone 6 bending ? The fake nonsense childish and lame thing spread by competitors on the ‘net buying iPhone6 and 6Plus to crack them on purpose and prove that they crack ? Please!
      iCloud leaks … the whole thing it’s so fishy.. there is still no proof of anything nor it’s known who is behind it… it really looks like an Hollywood driven marketing thing…
      U2 album…people nowadays surely are full of drugs blaming Apple for a gift. And competitors bashing Apple for that are even more pathetic

  4. Cory © (@Nardes) - 10 years ago

    uh oh.

  5. ikir - 10 years ago

    If brute force Works, passwords are weak. Even celebs are idiots.

    • So all of your passwords are 32 characters long with a mixture of numbers, symbols and upper/lowercase letters, then? If not, shut up and accept that Apple messed up.

      • hmurchison - 10 years ago

        It doesn’t work like that. He wasn’t hacked. If you get hacked and your password is not significantly difficult then the issue is not Apple’s so long as they allow you to create difficult passwords. What makes you an adult is not necessarily age but the ability to reason and be accountable for your decisions.

      • Oh god, please spare me that “celebrities are irresponsible” bs rhetoric. Nobody is here to hear you spout about how much of an adult you think you are.

        Brute force attacks try a lot of passwords until one works. How is it hard to understand that perhaps iCloud shouldn’t allow 20000+ incorrect password attempts?

    • observer1959 - 10 years ago

      Apple ID: email
      Password; password

      Why were my sex photos stolen! Where’s the media!

  6. James Hays (@james_hays) - 10 years ago

    My 9 year old writes better than that guy. I wouldn’t take him serious either.

    • Aunty Troll (@AuntyTroll) - 10 years ago

      The guy is Turkish. Feel free to make a comment on this post in Turkish and we will see how you do with your grasp of a foreign language.

      • Kurt Feltenberger - 10 years ago

        He’s also the same clown that caused an uproar over another faux security breach a while back and then started whining like a butthurt b*tch when Apple didn’t jump as high or fast as he thought they should.

    • Simon Potts (@simoncbp) - 10 years ago

      Yes but does your 9 year old write as well in Turkish which is Ibrahim’s native language? The fact that he has written a sufficiently understandable letter in a second (or tertiary) language – should be commended

    • Ben Lovejoy - 10 years ago

      Does your 9 year old write better than that guy in a second language?

    • And I don’t take you serious”ly” either. You should probably bone up on grammar before criticizing others.

    • Nes (@NesliParlarU) - 10 years ago

      You may not take him seriously but It turns out Apple did.

      Just check his his previous bug/security reports by searching “Ibrahim BALIC” in the Apple’s website below.

      http://support.apple.com/kb/HT1318

  7. Jab King - 10 years ago

    if you have your password set to any of these: 1234567890,admin,password,hotgirl, then you need to have your head examined. cause these are the mostly common used passwords ever used

  8. b9bot - 10 years ago

    And again there was no brute force attack against iCloud. If there was it was not successful. So there maybe a vulnerability but it wasn’t used or attacked correctly to take advantage of it.

    • iJonni - 10 years ago

      Thank you. The brute force attack runs through standard dictionary words and common passwords. iCloud requires you to have an upper case letter and number mixed in somewhere in your password. None of the brute force attacks I’ve seen can crack those passwords.

  9. James David Huston - 10 years ago

    So the moderators here approve comments of people arguing about grammar, but a suggestion that your headline doesn’t accurately convey the content of the article isn’t allowed through? Nice.

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear