Did Apple Keep An iCloud Privacy Breach Secret?

Late last year, Apple suffered a privacy breach as a result of a bug in its platform, it has been claimed. This bug might have revealed some of users’ iCloud data to others. However, the company remained hush-hush about the inconvenience. Perhaps, Apple didn’t think of the incident as newsworthy or maybe it’s more complicated than we think.

Apple Keeps iCloud Privacy Breach a Secret

Melih Sevim, a Turkish security researcher reported to The Hacker News that he had discovered a flaw in Apple’s services. He says that this bug enabled him to access data, especially notes, from random iCloud accounts as well as on targeted iCloud users just by knowing their phone numbers. Sevim claimed that he discovered the supposed flaw in October 2018.

He then informed Apple’s security team about his findings -steps to reproduce the bug and a video demonstration- to show them how he was able to read personal iCloud data from other Apple users without them knowing about it. This is what Melih told The Hacker News: “I discovered that when there is an active data transfer between the user and Apple servers if I open my (attacker’s) iCloud account, there is a possibility to view some random data on every refresh due to the bug.”

Apple’s Response

Apple did acknowledge the issue but claimed that they were already aware of the problem before Melhi brought it to their attention. After fixing the problem in November 2018, Apple immediately closed the ticket. The company reported back in the following statement: “The issue was corrected back in November.” Apple refrained from mentioning how long the flaw was open, the number of affected users, and the possibility of malicious exploitation. This is not new to Apple. Just days ago, Apple disabled its Group FaceTime service after the public disclosure of a bug in its video-calling app.

About the iCloud Bug

According to Melih’s explanation, the flaw was in the way Apple “internally” linked a phone number saved in the billing information of an Apple ID to the iCloud account on a device using the same phone number. Melih saved a new phone number linked to another Apple ID in the billing information related settings on his iPhone. As a result, he was able to view partial iCloud data from the account with associations to that number. Melih confirmed that the text-box asking users to enter a phone number was not validating the user input. This enables attackers to save a single digit input.

iCloud Bug- Final Words

If the bugs or glitches Apple is experiencing are minor, they would have addressed them. But, the fact that Apple remained silent about these issues gives rise to suspicion. Apple needs to get it together before its users lose faith in what it stands by and has to offer.