Apple was apparently aware of the flaw in iCloud for as long as six months before it was exploited.
According to emails obtained and published by the Daily Dot, software developer Ibrahim Balic informed Apple of a method he’d discovered for infiltrating iCloud accounts. He admitted that while the exploit shares a stark resemblance to the exploit allegedly used in the so-called “Celebgate” hack, it was unclear if it was the same vulnerability.
In an email sent on March 26th, Balic told an Apple official that he had successfully bypassed a security feature designed to prevent brute-force attacks and he was able to try over 20,000 passwords combinations on any account. He then followed up with Apple in May to report that it remained unfixed.
Apple however seemed more interested in how he had found the exploit, stating “using the information that you provided, it appears that it would take an extraordinarily long time to find a valid authentication token for an account”.
Balic later uploaded a YouTube video, which he says contains proof of his discovery, and Apple acknowledged Balic for reporting a cross-site scripting (XSS) vulnerability on its Web Server notification page.
Asked why a fix took so long to be applied, Stephen Coty, chief security evangelist at Alert Logic told IT Security Guru that when working with new vulnerabilities it takes software companies about six to 12 months to patch. “This is very typical and I’m sure that once Apple learned of the vulnerability, they started the process of researching and writing the patch,” he said
