In a new twist to the celebrity nude photos leak scandal, which was purportedly due to a critical security flaw in Apple's iCloud and Find My iPhone services - but later clarified by the company to be breaches of individual accounts, The Daily Dot reports that a security expert by the name of Ibrahim Balic had an extended email conversation with an Apple executive in March about a loophole for infiltrating iCloud accounts.
In the conversation that happened, Balic supposedly managed to guess the passwords of a few Apple accounts by brute-forcing testing around 20,000 passwords against these accounts. He then immediately contacted Apple to highlight this fatal flaw and ask them to apply an account lockout policy immediately.
A back-and-forth ensued and Apple's security team tried to iron out the weakness but after around a month a decrease in threat level made them stop investigating it any further. In what looks like the final email of the thread, Apple's security liaison eventually said this, "Do you believe that you have a method for accessing an account in a reasonably short amount of time?"
The Daily Dot claims to have had the email conversations reviewed by security experts. It is interesting to note that the same Ibrahim Balic, a Turkish developer living in London, was behind the hack on Apple's developer website last year in June, where he claimed to have the personal information of more than 10,000 registered users.
Apple had earlier accepted that hackers obtained nude photos of Jennifer Lawrence and other female celebrities by pilfering images from individual accounts rather than through a broader attack on the company's services. Later, Apple included two-step verification for protecting iCloud.
We are now wondering if the 'celebgate' leaks could have been avoided had Apple understood the seriousness of the problem as soon as it was allegedly highlighted by Balic. In case you want to protect your iCloud account from theft we have a handy how-to article, which includes details on setting up two-step authentication.
Written with agency inputs