APPLE reportedly covered up a major privacy breach that gave hackers partial access to user iCloud accounts.
The supposed flaw was allegedly “kept secret” by Apple – and quietly fixed without alerting users to the problem.
Apple’s iCloud tech – featured on iPhones – was reportedly breached
Apple ranks iCloud privacy high on its list of priorities, after a 2014 leak exposed almost 500 private photos of female celebrities, including Jennifer Lawrence and Kate Upton.
The service stores Apple customers’ files on servers, which can be accessed digitally at any time – freeing up space on your device, and keeping media backed up safely.
But a new report by The Hacker News claims that Apple “suffered a privacy breach” late last year.
The breach supposedly gave attackers access to view iCloud back-ups of files in the Notes app – where people store important notes, reminders and media.
Attackers were supposedly able to read private Notes from iCloud users
This supposed flaw was discovered by Turkish security researcher Melih Sevim.
Sevim found that he could access random iCloud accounts – and even target specific iCloud users – just by knowing their phone numbers.
“Simply knowing a person’s mobile phone number was allowing [the] attacker to see that person’s iCloud data with this flaw,” Melih told The Sun.
“[The] attacker was adding the victim’s mobile number as his number without any verification.
“And Apple was syncing the iCloud data to [the] attackers account.”
The issue is now believed to have been fixed, but there appears to be no public knowledge of the bug ever having existed.
And Melih claims that even though he alerted Apple to the problem, the company failed to pay him as part of its Bug Bounty reporting programme.
“My first discovery of this vulnerability was [the] end of October,” said Melih, speaking to The Sun.
“My first contact with Apple was on the 12th of November about this issue.
“After my first contact they asked a lot of details and documentation about this. I answered all and prepared an article.
“Apple responded [quickly] – we were in frequent communication with them until they fix the flaw.
“After their job is done and the flaw is fixed, they stopped the conversation and stopped messaging back to me.
“Also they didn’t give my bounty.”
It’s claimed that Apple kept the breach a secret
Melih supplied images of his email correspondence with Apple to The Sun.
He appears to have been asked by Apple to keep the bug secret, and to remove a video detailing the bug from YouTube.
Emails allegedly sent by Apple representatives asking Melih for more information.
But a later email sent by “Jill” from Apple Product Security says: “The issue that you reported was addressed prior to you sending us the information.”
Keeping bugs secret – the hidden dangers
We spoke to Tim Mackey, technical evangelist at Synopsys, who said…
- “One of the major items development teams battle against on an almost daily basis is patterns of behaviour resulting in defects.
- “Humans are after all creatures of habit, and developers even more so.
- “While the available information surrounding the iCloud issue doesn’t appear related to Facebook access tokens, Twitter API access, or the Google+ retirement – Apple’s choice to hold secret details on the flaws doesn’t help the industry improve and invites conjecture.
- “It may be there’s an embarrassing bug afoot, but knowing how that bug manifests can enable others to review their software for similar patterns.
- “By holding details secret, Apple is effectively choosing the security and reputation of their own services over the privacy of user data regardless of which service it may reside within.”
We’ve asked Apple for comment and will update this story with any response.
These latest allegations come at a difficult time for Apple.
This week it was revealed that a major FaceTime bug allowed strangers to eavesdrop on you through your iPhone’s microphone.
Apple was forced to disable its new Group FaceTime feature to shutter the bug, while it works on releasing a fix.
You can find out how to disable FaceTime completely here.
But Apple has come under further fire after it emerged the company may have known about the bug for an entire week before telling the world.
END OF THE ROAD
PS Plus February 2019 games – what are the free games this month?
Netflix warning over scam that can steal your account – and rinse your bank
Motorbunny is a £700 vibrator you STRADDLE and control with voice commands
Astronomers baffled by mystery object performing strange orbit around Earth
Bennu asteroid that ‘could hit Earth’ in cataclysmic crash revealed in Nasa photo
Tech up your love life with 10 of the best smart sex toys this Valentine’s Day
Find out how to read deleted WhatsApp messages.
Read our guide on what to expect from the iPhone 11.
And discover the latest rumours about a new iPod Touch and iPad Mini 5.
Do you trust Apple with your privacy? Let us know in the comments!