Cupertino had been given an early heads up

Sep 25, 2014 12:10 GMT  ·  By

Celebgate wouldn’t have happened if Apple had stopped to listen to a security researcher who apparently was aware of an iCloud flaw months before the fappening took place.

Ibrahim Balic, the researcher in question, reportedly informed Apple (using more than one channel) that iCloud was vulnerable to “brute-force” attacks, something that can be described as trying key combinations of characters until the password is guessed.

His first email was sent in March, and he subsequently had conversations with the Cupertino giant in an attempt to have iCloud patched, but to no avail.

Enter the fappening

A few months later, a wave of nude celebrity photos was released to the internet, presumably as a result of an attack using the flaw described by Balic. However, there was never a confirmation that the bug used to thwart iCloud’s security was indeed the one Balic had reported to Apple.

In fact, Tim Cook’s company denied it in a press statement earlier this month:

“We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source,” Apple said.

“Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet,” the company added.

Apple then clarified that, “None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.”

The documentation supplied by Apple also included a link to the company’s Support site, where customers can review a detailed support document on security and Apple IDs. The company stressed at the time that users should employ “a strong password and enable two-step verification.”

Not the first, and probably not the last

It’s worth noting that Balic is known for reporting other security issues in the past. And at one point, he was said to have been responsible for an earlier iCloud breach. None of these reports can be validated, unfortunately.

The second celebgate wave reported earlier this week may or may not be a new development regarding the integrity of Apple’s iCloud. The images could have well been obtained at the same time as the first ones. It’s also possible that Apple is right in that there was no iCloud breach involved and that the attacks were targeted.