An independent security researcher informed Apple about an iCloud vulnerability six months before it was used to hack into celebrity accounts, a report claimed Wednesday, adding that the revelation is based on leaked emails between the company and the security researcher. The leak, involving nude pictures of celebrities, gained notoriety as "The Fappening."
The emails, which were said to have been reviewed by several security experts, showed that Ibrahim Balic, a London-based software developer, informed Apple about a method that he had discovered for hacking into iCloud accounts. Although the exploit discovered by Balic bears stark resemblance to the exploit that led to the leak of celebrity nude photos earlier this month, it is yet to be confirmed if they are the same security vulnerability, Daily Dot reported.
According to the report, Balic informed Apple in a March 26 email that he had successfully got around the security of any iCloud account by using a hacking method called “brute-force,” which allows more than 20,000 password combinations to be tried. Balic also reported the flaw by using Apple’s online bug submission platform and recommended that the company should implement a feature in its iCloud service to prevent log-ins after a specific number of failed attempts.
Apple emailed Balic in May, questioning the validity of the exploit. The company also argued that hackers “would take an extraordinarily long time” to find a valid authentication to access iCloud accounts using the flaw. According to Balic, an Apple official continued to inquire about the details of the exploit.
“I believe the issue was not completely solved. They kept asking me to show them more stuff,” Balic told Daily Dot.
On Sept. 1, hackers posted nude photos of celebrities, including those of Jennifer Lawrence and Victoria Justice, after breaching their iCloud accounts. A report on The Next Web subsequently linked the incident to a malicious script, which was reportedly uploaded to the website GitHub last month.
Although Apple reportedly patched the vulnerability mentioned on GitHub, the company claimed that the celebrity accounts were hacked by targeting user names, passwords and security questions, “a practice that has become all too common on the Internet.”
“None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone,” Apple said in a statement.