You are using an outdated browser. Please upgrade your browser to improve your experience.
Apple knew of iCloud vulnerabilities that led to 'Celebgate' since March 2014

Apple knew of iCloud vulnerabilities that led to 'Celebgate' since March 2014

September 25, 2014

This has been a very bad week for Apple — and it’s only getting worse.

Before “Bendgate” and the iOS 8.0.1 release snafu, Apple was confronted with “Celebgate,” which saw hackers release naked celebrity photographs originally stored on iCloud. Initially, the company said that the theft of the photographs was not the result of “any breach in any of Apple’s systems including iCloud or Find my iPhone.”

That might not be true.

The Daily Dot says that Apple knew as early as March 2014 of a security hole that left the personal data of iCloud users vulnerable. This conclusion comes after the site reviewed leaked emails between the company and a noted security researcher.

London-based Ibrahim Balic alerted Apple numerous times to “brute-force” iCloud vulnerabilities. This method is used by hackers to crack passwords by trying thousands of key combinations. It is the same method allegedly used by hackers to download naked photos of celebrities such as Jennifer Lawrence, Kim Kardashian, among others.

Though Apple has admitted to no wrongdoing, it has taken steps to improve the situation.


CEO Tim Cook admitted to The Wall Street Journal that “Apple could have done more to make people aware of the dangers of hackers trying to target their accounts or the importance of creating stronger and safer passwords”:

“When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece,” he said. “I think we have a responsibility to ratchet that up. That’s not really an engineering thing.”

Earlier this month, Apple expanded the use of two-step verification to further protect iCloud accounts. They also began sending out alerts when iCloud accounts are accessed via the Web.

More alerts are being launched in the coming weeks. These include when an iCloud password is changed, a device is restored from the account, or when one logs in from a new device. Previously, password change and login alerts were only sent when the event took place on a new Apple device.

At this point, no one is saying why Balic’s concerns weren’t addressed, which comes as a surprise.

In June 2013, he identified a security flaw in the Apple Developer Center. Apple later acknowledged Balic for reporting a cross-site scripting (XSS) vulnerability on its Web Server notification page.

See also: Apple CEO Tim Cook talks about privacy in part two of his interview with Charlie Rose.

Related articles