As everyone knows today, Apple’s delusions of its own iCloud invulnerability may have led to nude photos of its starlet customers being leaked online. However, one of the security researchers has warned Apple six months ago of a security hole which exposed the personal data of iCloud users.


Ibrahim Balic, a London-based software developer, notified of a method he had discovered for infiltrating iCloud accounts back in March 2014. The exploit he reported was similar to the exploit allegedly used in the “Celebgate” hack. The developer notified an Apple official that he managed to successfully bypass a security feature designed to prevent “brute-force” attacks. Usually, these attacks are defeated by limiting the number of times users can try to log in.

Balic explained that he could try more that 20,000 passwords combinations on any account, and the developer warned Apple so that it could be fixed. Besides, he also reported the vulnerability via Apple’s online bug submission form. However, the reported vulnerability remained unfixed, with an Apple official questioning the developer over the details of his discovery, while doing nothing to fix the issue.

Only when the Celebgate photos exploded across the Internet, the company reportedly patched the flaw the developer found. However, the tech giant denied that the flaw was in any way linked to the Celebgate event. Apple’s statement insisted that the theft of the pictures didn’t result from any breach of its systems, including iCloud or “Find my iPhone”.

Interestingly enough, the software developer says this is not the first time that Apple has done this to him. Back in 2013, Balic identified a security flaw in the Apple Developer Centre. At the time, the website was almost immediately shut down, with Apple claiming that was due to an intruder attempt to secure personal data of registered developers. The problem is that Ibrahim Balic was a criminal for reporting the vulnerability, and Apple was going to arrest him for discovering flaws in its security.

Of course, Balic was a bit concerned about the situation and went public in the form of a comment on a TechCrunch article. In addition, he later uploaded a proof video to YouTube. Finally, the company acknowledged the developer for reporting a cross-site scripting (XSS) vulnerability on its Web Server notification page.

It will be up to the police to determine which particular matters to investigate. The support with intelligence gathering will be provided with the Australian Crime Commission, while the consideration is also being given to a “tech crime offenders registry”.