A security researcher warned Apple in March 2014 of a security hole that left the personal data of iCloud users vulnerable.
A string of emails went back and forth between Jobs’ Mob and Ibrahim Balic, a London-based software developer, which told the cargo cult of a method he’d discovered for infiltrating iCloud accounts.
The exploit Balic says he reported to Apple shares is similar to the exploit allegedly used in the so-called “Celebgate” hack.
Balic told an Apple official that he’s successfully bypassed a security feature designed to prevent “brute-force” attacks. Typically, this kind of attack is defeated by limiting the number of times users can try to log in.
He said that he could try over 20,000 passwords combinations on any account and he was warning them so that it could be fixed. The vulnerability was also reported by Balic using Apple’s online bug submission platform.
By May 6, the reported vulnerability apparently remains unfixed, as an Apple official continues to question Balic over the details of his discovery, but did nothing.
Then soon after the Celebgate photos exploded across the Web, Apple reportedly patched Balic’s vulnerability.
Apple denied, however, that it was in any way linked to the Celebgate event. The theft of the photographs, a statement from the company insisted, was not the result of “any breach in any of Apple’s systems including iCloud or Find my iPhone.”
This is the second time that Apple has done this to Balic. In June 2013, he identified a security flaw in the Apple Developer Centre.
In that case, the website was almost immediately taken down, and Apple claimed that “an intruder attempted to secure personal information of registered developers” and it had called the rozzers.
The implication was that Balic was a criminal for reporting the flaw and Apple was only too happy to have him arrested for daring to point out flaws in its security.
Needless to say Balic was a little concerned about that and went public in the form of a comment on a TechCrunch article. He later uploaded a YouTube video, which he says contains proof of his discovery.
Apple later acknowledged Balic for reporting a cross-site scripting (XSS) vulnerability on its Web Server notification page.