Did Apple Know of iCloud Security Hole Months Before Leak?

Is it possible Apple (AAPL) knew of a security opening in its iCloud platform months before the highly publicized celebrity photograph leak of a few weeks ago?

According to a report in the online Daily Dot, the iPhone maker may have known, or at least been advised, of a particular type of vulnerability in its iCloud security as early as last March, based on emails between Apple and security researcher Ibrahim Balic.

Balic reportedly informed Apple of a way he’d unearthed to break into iCloud accounts that bore similarities to the method used to pilfer the celebrity photographs, although it’s not certain that what he barked about is exactly the same method as hackers used in the break-in.

The Daily Dot reported that Balic sent Apple an email March 26 saying he’d gotten past a security feature intended to repel brute force attacks hackers use to crack passwords, adding that he was able to try more than 20,000 passwords on any account to find the right combination.

According to the report, six weeks later the vulnerability still existed. Did the celebrity photograph hackers use brute force to gain entry into Apple’s iCloud platform? Apple’s not saying, but Balic thinks so.

“I believe the issue was not completely solved. They kept asking me to show them more stuff,” Balic told the Daily Dot.

If Balic’s name rings a bell, he’s the same independent security wonk who a year ago July said he’d uncovered more than a dozen flaws in Apple’s armor that left data from its Developer Center exposed. To make his point, he broke in and ended up showing Apple data from 73 user accounts and claimed he’d gotten his hands on information from another 100,000 users.

Balic said he contacted Apple to illuminate the security flaws and to help the vendor fix them but instead Apple regarded his actions as a security intrusion and shut the site down. He subsequently identified himself publicly and denied that he intended to hack the Developer Center for any reason other than to help Apple shore up its security.

In that instance, Apple ended up crediting Balic for uncovering a cross-site scripting flaw on its Web Server notification page. But, still, the whole episode had an air of self-promotion about it, making it difficult to tell if this one follows the same pattern.