Security researchers just reported about a possible breach of iCloud that took place late last year. Purportedly, a bug in the platform may have exposed iCloud data to other users. And by the looks of it, Apple chose to remain silent about the breach and the bug that caused it.
iCloud Bug Allows You to View Data from iCloud Accounts
A Turkish researcher, Melih Sevim, got in touch with The Hacker News last week and told them about a vulnerability he discovered that allowed him to view some data from random iCloud accounts. He could also exploit the bug on targeted users just by knowing their associated phone numbers.
The researcher says he discovered the flaw in October 2018, and was quick to report it to Apple’s security team. He even shared steps to reproduce the issue along with a video demonstration. It seems that Apple patched the bug in November last year. Even though the company acknowledged the issue to Melih, they said they had already addressed the bug, prior to receiving Melih’s report. Then, Apple closed the ticket.
What may have happened? Since the flaw was in the section of iCloud settings for iOS devices that load from Apple servers in real-time via the Internet, it was silently patched by Apple team from the background, without releasing a new iOS update, the Hacker News said.
The reporters also got in touch with Apple’s security team to confirm Melih’s findings:
In response to The Hacker News email and knowing that we are working on a story, Apple acknowledged the bug report, saying “the issue was corrected back in November,” without responding to some other important questions, including for how many weeks the flaw remained open, the estimated number of affected users (if any) and if there is any evidence of malicious exploitation.
This is the second big security bug concerning Apple that came to light in the last 24 hours or so. The FaceTime bug, which wasreportedly discovered by a 14-year-old, allows users to eavesdrop or watch the individual they are calling before that person has even answered the call. The scariest part is that the bug doesn’t require technical insight or hacking skills. The bug can be triggered by following a few simple steps to add the ringing call to a group chat.