Apple knew of iCloud ‘brute-force’ attack issue 6 months before nude celebrity photo leak, security researcher claims

“Apple knew as early as March 2014 of a security hole that left the personal data of iCloud users vulnerable, according to leaked emails between the company and a noted security researcher,” Dell Cameron reports for The Daily Dot. “The emails, obtained earlier this month by the Daily Dot and reviewed by multiple security experts, show Ibrahim Balic, a London-based software developer, informing Apple of a method he’d discovered for infiltrating iCloud accounts.”

“While the exploit Balic says he reported to Apple shares a stark resemblance to the exploit allegedly used in the so-called ‘Celebgate’ hack, it is currently unclear if they are the same vulnerability,” Cameron reports. “In a March 26 email, Balic tells an Apple official that he’s successfully bypassed a security feature designed to prevent “brute-force” attacks—a method used by hackers to crack passwords by exhaustively trying thousands of key combinations. Typically, this kind of attack is defeated by limiting the number of times users can try to log in.”

“Balic goes on to explain to Apple that he was able to try over 20,000 passwords combinations on any account. The vulnerability was also reported by Balic using Apple’s online bug submission platform,” Cameron reports. “Soon after the Celebgate photos exploded across the Web, Apple reportedly patched the vulnerability [that allowed attackers to guess passwords repeatedly in the Find My iPhone service without any sort of lockout or alert to the target]. The company denied, however, that it was in any way linked to the Celebgate event. The theft of the photographs, a statement from the company insisted, was not the result of ‘any breach in any of Apple’s systems including iCloud or Find my iPhone.'”

Read more in the full article here.

Related articles:
Apple’s iCloud security nightmare gets worse as more nude celebrity pics leak – September 21, 2014
Since the celebrity nude iCloud hacks, one third of Americans have improved their online security – September 8, 2014
Apple denies iCloud breach – September 3, 2014
How easy is it to crack into an Apple iCloud account? We tried to find out – September 3, 2014
Celeb nudes: Comprehensive review of forum posts reveals no mention of ‘Find My iPhone’ brute force technique – September 2, 2014
Apple’s iCloud is secure; weak passwords and gullible users are not – September 2, 2014
Apple: No iCloud breach in celebrity nude photos leak – September 2, 2014
FBI, Apple investigating alleged iCloud hack of celebrity nude, sex photos and videos – September 2, 2014
Celebrity or not, Apple isn’t responsible for your nude photos – September 2, 2014
Apple ‘actively investigating’ Jennifer Lawrence, other nude celebrity photos hack – September 1, 2014
Apple’s iCloud not likely the sole source of leaked Jennifer Lawrence, other nude celebrity photos and videos – September 1, 2014


  1. “The theft of the photographs, a statement from the company insisted, was not the result of ‘any breach in any of Apple’s systems including iCloud or Find my iPhone.’”

    That’s an extremely carefully worded response that is 100% accurate but misses the point.

    Getting the right passwords for multiple users is not a “breach.” The guesses could’ve been right the first time, or second, or third, even up to 10 (the same number of attempts before iOS devices wipe themselves, if so configured).

    If the system allowed over 20,000 attempts per user without halting bad attempts after 10, then it *is* a security flaw that could have been exploited.

    1. A 20,000 limit is sufficient to prevent brute force password attacks. A very easy to brake password of 6 letters would can be 1 of 308,915,776 possible combinations (26^6). A relatively secure password, of 8 letters & number, is 1 of 2,821,109,907,456 combinations (36^8). Only a 4 letter password comes anywhere close to the 20,000 limit, and Apple does not allow setting iCloud passwords this insecure.

      Any attempted brute force password attack would have left a lot of evidence in system logs, displaying a distinct pattern of password guessing along with identifying the attacker’s IP address. The logs have been analyzed, and there is no evidence of brute force attacks on the accounts in question.

      There was no breach. Beyond reasonable doubt, these passwords were stolen using phishing, or other social engineering techniques where the victim is tricked into revealing their own password to the thief.

      1. Phishing may be the answer, but I doubt that someone trying to crack a celebrity’s password would use a random number generator. They would first research the person on Wikipedia, Twitter, Facebook, etc. to find likely passwords (date of birth, first boyfriend, pets, etc.) and try those first. Then they would try the most common passwords (password, 123456, qwerty, etc.). If the celebrity picked her own password, rather than using a password manager, the chances are pretty good of guessing it within 9 tries, much less 20,000. The research from the first step would also allow answering the most common “security” questions. Once the hacker gets into one account, the chances are fair to good that the same password will access everything else.

      2. According to the researcher 20,000 wasn’t the limit. The way I read it, he *stopped* after “over 20,000” attempts each on various users.

        Also: yes, a textbook brute force password attack starts with for example “00000000” (whatever character minimum the password field is) and increments one character at a time.

        But, a more realistic brute force attack would be done more intelligently, like starting with a list of the most common passwords. The attacker could’ve gotten the right password in far fewer than 20,000 guesses.

        Regardless of how the accounts were compromised, allowing so many unrestricted login attempts is just plain bad security practice.

      3. It’s worse than that. Go 52 upper and lower case alphabetic characters, add 10 numeric characters, and approximately 8 allowed symbolic characters. . . Now the potential cracker is working with 70 characters, and from 8 to 16 positions of which the last eight could be nulls. So the potential number of password combinations to try is 70^16. . . Or ~332,329,305,696,010,000,000,000,000,000 different combinations, give or take a few.

    1. Right, and the act of telling Apple about something doesn’t make it truly a vulnerability, either. He contends it is, he alleges it is.

      But I’d never run a site that allowed someone to try more than 3 times to get their password right!

  2. FUD based on FUD equals NOTHING. Tim Cook already said that none of the iCloud servers were broken into or compromised in any way. These stars were phished or had very weak passwords that were guessed and that’s all.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.