Researcher accuses Apple of ignoring iCloud brute-force attack for 6 months

Posted:
in iCloud edited September 2014
A security researcher who discovered a brute-force attack against Apple's iCloud service in March -- similar to the "iBrute" vulnerability that surfaced in conjunction with the celebrity photo hacking scandal earlier this month -- says that the company refused to address the flaw for months after he reported it.

Screenshots courtesy of The Daily Dot
Screenshots courtesy of The Daily Dot


Computer security expert Ibrahim Balic first notified members of Apple's product security team of the vulnerability in late March, according to copies of correspondence that Balic provided to The Daily Dot. At the time, Balic told company representatives that he had been able to test as many as 20,000 passwords against specific accounts.

Apple employees were still working with Balic to assess the situation as late as May, when they appeared to discount its severity.

"Using the information that you provided, it appears that it would take an extraordinarily long time to find a valid authentication token for an account," one Apple engineer wrote back to Balic. "Do you believe that you have a method for accessing an account in a reasonably short amount of time?"

It is unclear what relationship the bug that Balic discovered --?which he believes went unresolved -- has to the iBrute tool that allowed a similar attack against Find my iPhone. Apple later denied that the Find my iPhone vulnerability had been used in the now-infamous photo scandal, saying instead that it was the result of a "targeted attack" that likely involved years of social engineering against the targets.
«1345

Comments

  • Reply 1 of 94
    And I told Apple I want NFC in my iPhone for years and only now Apple releases a phone with NFC, talking about slow... and can you hear me, Apple, hello? I'm going to tell the world that you ignored me for two years... Hello?
  • Reply 2 of 94
    gatorguygatorguy Posts: 24,176member
    "Apple later denied that the Find my iPhone vulnerability had been used in the now-infamous photo scandal, saying instead that it was the result of a "targeted attack" that likely involved years of social engineering against the targets."

    I'm not sure that's exactly what Apple said. As I recall they used some very specific wording that was perhaps meant to give that impression, but they did not issue a denial.
  • Reply 3 of 94
    So they didnt ignore it. They were told about it. They responded. Just because tthey didn't put in s lockout doesn't mean they were doing nothing. Beside a lockout is a placebo in many respects because someone can still use piss poor security questions or phish for passwords.

    And there is still no proof of exactly how those few celeb accounts were accessed to know if this flaw was s factor. Heck we don't even know how many accounts there were that were actually iCloud ones
  • Reply 4 of 94
    Unimportant individuals trying to achieve some level of importance before vaguely-qualified peers. Goal = income.
  • Reply 5 of 94
    gatorguy wrote: »
    "Apple later denied that the Find my iPhone vulnerability had been used in the now-infamous photo scandal, saying instead that it was the result of a "targeted attack" that likely involved years of social engineering against the targets."

    I'm not sure that's exactly what Apple said. As I recall they used some very specific wording that was perhaps meant to give that impression, but they did not issue a denial.

    Supposedly it was this:
    CUPERTINO, Calif.–(BUSINESS WIRE)–We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.

    To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.
  • Reply 6 of 94
    ecatsecats Posts: 272member
    People seem to be under the impression that the password system has no time caps, it does, and always has, which is why dictionary attacks weren't ever really a feasible vector using the Find My iPhone user/pass system. It wasn't a surprise to anyone that it wasn't part of the photo leaks.
  • Reply 7 of 94
    herbapouherbapou Posts: 2,228member
    Quote:
    Originally Posted by Gatorguy View Post



    "Apple later denied that the Find my iPhone vulnerability had been used in the now-infamous photo scandal, saying instead that it was the result of a "targeted attack" that likely involved years of social engineering against the targets."



    I'm not sure that's exactly what Apple said. As I recall they used some very specific wording that was perhaps meant to give that impression, but they did not issue a denial.

     

     

    imo people need to stop thinking whatever Apple says is perfect and always the truth....

     

    that being said, since the security issues are now on the CEO radar and will get resolved, we may get a chance to add more Apple shares after its being dump on FUD.

  • Reply 8 of 94
    Okay. So what?
  • Reply 9 of 94

    Did nobody read the e-mails?

     

    He clearly states that the same vulnerability also worked on Google. He said it in both letters. He also stated that Google had gotten back to him either.

     

    Funny how everyone seems to be missing this part of his letters. It's like as soon as they see the word "Apple" they put on blinders.

     

     

    Edited: He stated Google did respond. I was thinking of something else.

  • Reply 10 of 94
    asdasdasdasd Posts: 5,686member
    Quote:

    Originally Posted by EricTheHalfBee View Post

     

    Did nobody read the e-mails?

     

    He clearly states that the same vulnerability also worked on Google. He said it in both letters. He also stated that Google hadn't gotten back to him either.

     

    Funny how everyone seems to be missing this part of his letters. It's like as soon as they see the word "Apple" they put on blinders.


    No he said that they did get back to him.

  • Reply 11 of 94
    asdasdasdasd Posts: 5,686member

    Hmm. The hacker guy wanted a lockout - but I think Apple have a timeout, which is better. Nobody wants to be locked out for ever.

  • Reply 12 of 94
    asdasdasdasd Posts: 5,686member

    So basically this guy is talking crap. Basically it would take years to test the 20,000 passwords. 

  • Reply 13 of 94
    Quote:

    Originally Posted by asdasd View Post

     

    No he said that they did get back to him.


     

    Correct, I switched them around and edited my post.

     

    However, that still doesn't change anything. He claims Google had this flaw as well. And he claimed in twice. So how come nobody is talking about Google having an exploit? Why hasn't he published his Google e-mails as well as the Apple e-mails?

  • Reply 14 of 94
    Quote:

    Originally Posted by Eideard View Post



    Unimportant individuals trying to achieve some level of importance before vaguely-qualified peers. Goal = income.



    I am Spartacus!

  • Reply 15 of 94
    From the headline title, one would assume that Apple never engaged on the issue but in fact, the article says that Apple was working with Balic and asked him if he could access an account in a reasonably short time. The article doesn't detail what if anything he said back to Apple.
  • Reply 16 of 94
    Quote:

    Originally Posted by markbyrn View Post



    From the headline title, one would assume that Apple never engaged on the issue but in fact, the article says that Apple was working with Balic and asked him if he could access an account in a reasonably short time. The article doesn't detail what if anything he said back to Apple.

    The goal is not to tell the truth. It's to create a story. 

  • Reply 17 of 94
    Quote:

    Originally Posted by ECats View Post



    People seem to be under the impression that the password system has no time caps, it does, and always has, which is why dictionary attacks weren't ever really a feasible vector using the Find My iPhone user/pass system. It wasn't a surprise to anyone that it wasn't part of the photo leaks.

    Huh?

  • Reply 18 of 94

    Ridiculous stories about Apple in the past few days. Sigh. What else is new....

  • Reply 19 of 94
    gatorguygatorguy Posts: 24,176member
    Correct, I switched them around and edited my post.

    However, that still doesn't change anything. He claims Google had this flaw as well. And he claimed in twice. So how come nobody is talking about Google having an exploit? Why hasn't he published his Google e-mails as well as the Apple e-mails?

    The e-mails indicate Google already told him how they would address it don't they? AFAIK Google put similar fixes in place sometime back, and probably prompted by Balic's research IMHO.

    He's been around awhile and is well-known to both companies. He's the same one who crashed Apple's developer portal and Google Play. Not once either but twice "just to be sure".
  • Reply 20 of 94
    rogifanrogifan Posts: 10,669member
    Good for the shorts I guess as the stock is down 3% today. Of course the market overall is down today so I guess it shouldn't be surprising Apple would be down even more than the overall market. That's usually how it goes.
Sign In or Register to comment.