Report: Apple knew about major iCloud security flaw six months before fixing
Apple knew about a security problem with its iCloud website for at least six months before addressing it, according to a report from the Daily Dot. The fix came only after the service was wrongly blamed for enabling the celebrity photos leaked earlier this month. The report is based on emails between the security researcher who spotted the vulnerability and the Apple employees he contacted.
This is an embarrassing revelation for a company that's trying to distance itself from the photo leaks -- which were said to have been sourced from targeted attacks instead of a problem with the iCloud website -- by trumpeting efforts to improve its security chops whenever it possibly can.
There is no excuse for failing to implement a basic security feature -- one which prevents people from submitting as many passwords as they want without being locked out -- almost six months after employees were told about the problem through multiple emails and a detailed report in Apple's official bug reporting system.
Earlier today I wrote about how apathy might help spread security problems like the Shell Shock bug, which is said to be worse than the infamous Heartbleed bug. Apple's response is even worse than apathy, though: it's outright disdain for the people it's supposed to be protecting.
This wasn't an unknown problem. Apple had numerous warnings of its existence from just this one whistleblower; who knows how many others warned the company about the problem? And it's not like the problem couldn't be exploited: an exploit was published to GitHub right before the issue was finally fixed in the wake of the nude photo leak. Apple can't claim ignorance here.
Here are the other possibilities: it took Apple six months to implement a basic security fix; or Apple just didn't care enough to fix it without dragging its feet for the better part of a year. Neither option is comforting, given the information Apple can access, and it shows that the company's new push to convince people that their information is safe with it is just plain condescending.