Researcher accuses Apple of ignoring iCloud brute-force attack for 6 months

article thumbnail

AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.

A security researcher who discovered a brute-force attack against Apple's iCloud service in March — similar to the "iBrute" vulnerability that surfaced in conjunction with the celebrity photo hacking scandal earlier this month — says that the company refused to address the flaw for months after he reported it.

Computer security expert Ibrahim Balic first notified members of Apple's product security team of the vulnerability in late March, according to copies of correspondence that Balic provided to The Daily Dot. At the time, Balic told company representatives that he had been able to test as many as 20,000 passwords against specific accounts.

Apple employees were still working with Balic to assess the situation as late as May, when they appeared to discount its severity.

"Using the information that you provided, it appears that it would take an extraordinarily long time to find a valid authentication token for an account," one Apple engineer wrote back to Balic. "Do you believe that you have a method for accessing an account in a reasonably short amount of time?"

It is unclear what relationship the bug that Balic discovered —  which he believes went unresolved — has to the iBrute tool that allowed a similar attack against Find my iPhone. Apple later denied that the Find my iPhone vulnerability had been used in the now-infamous photo scandal, saying instead that it was the result of a "targeted attack" that likely involved years of social engineering against the targets.