A software developer in London warned Apple of iCloud's vulnerability to a brute-force attack months before the service was implicated in the leaks of hundreds of explicit photos and videos of celebrities. As reported by The Daily Dot, Ibrahim Balic brought the security hole to Apple's attention in a series of emails that began this past March.
Balic provided emails to an Apple official as evidence that the company knew well ahead of the photo scandal. In the correspondence, Balic notes the ability to bypass the account lockout feature which is supposed to kick in after a large number of incorrect login attempts. Without this safety feature in place, Balic's testing attempted over 20,000 password tries in rapid succession. This type of attack is a common way to gain access to user accounts on a variety of platforms, which is why many companies place a hard restriction on the number of times a login can be attempted before the account is locked.
Balic's emails didn't fall entirely on deaf ears, as a response from Apple notes that they investigated the vulnerability and determined that "it would take an extraordinarily long time" to breach an account in this way. Balic also submitted a formal bug report using Apple's developer portal.
In the wake of the photo leaks, Apple tweaked its security to patch brute-force vulnerability, and expanded two-factor authentication. For the record, the company's carefully-worded statements on the matter deny that a breach of any Apple service occurred, or was to blame for the celebrity photo leaks.
No comments:
Post a Comment