Apple is a company that likes to boast about the privacy and security of their products, and their marketing campaigns are currently focused and based on this aspect. Security flaws are oftentimes hard to locate and plug, however, and the company has just rediscovered this dire truth with the FaceTime bug. Another story, concerning the Apple iCloud storage and computing service, has just surfaced from “The Hacker News”, presenting serious evidence that a privacy breach was kept secret by Apple.
The problem was reported to Apple by Turkish security researcher Melih Sevim back on November 12, who discovered that a flaw in iCloud allowed users to view partial iCloud account data of others if they knew the associated phone number. The bug allowed any user to enter another person’s phone number to their own account ID through the device’s billing information settings, and then fetch part of the other person’s account data on their iCloud. Melih found no phone number validation step, so he just proceeded his “test” by inputting random numbers and getting access to even their banking information. Something of such seriousness should be disclosed to the public so that users could refresh their credentials and reported to the authorities, but Apple thought it would be a better idea to just plug the flaw through a silent update and hope that the story never sees the light.
Apple received Sevim’s report on the issue and then asked for more details about the vulnerability. This is when the researcher created the video shown above and sent it to them, only to get the following response:
Clearly, Apple tried to downplay the very essence and value of this serious bug report, saying that the problem had been fixed at the same time the researcher was seamlessly fetching other users’ data onto his iCloud account. What is even more worrying, is that there’s no mention of how many users got affected and the period of time during which the flaw kept the data fetching gates open. Usually, companies do at least issue a reassuring statement to claim that no evidence of malicious exploitation of a vulnerability was detected before the fix, but that would mean disclosing the issue for Apple, and so they didn’t. Possibly, the reason for keeping the story secret is that the impact of the particular security flaw was humongous, and so would the impact on the trust of iCloud users in Apple be.
Are you using iCloud to store information? Do you trust Apple’s security team? Let us know in the comments below, and don’t forget to share this story and propagate the news through our socials, on Facebook and Twitter.