Apple had been aware of bruteforce vulnerability in iCloud for 5 months

Apple has been aware of a vulnerability in iCloud since the end of March, which allowed attackers to get behind users’ passwords through brute force attacks. Despite this, it took until August for Apple to come up with a solution.

London-based developer Ibrahim Balic notified Apple of the vulnerability on March 26, and he received a response the same day, news site Daily Dot writes based on the developer’s emails. That developer is also no stranger to Apple: the manufacturer thanked him earlier for reporting an xss bug.

An Apple employee approached him again in May asking for more information and seemed ill-informed as to what exactly Balic meant. When the iPhone maker learned of the vulnerability via a script on Github, a fix appeared within a short time.

The vulnerability meant that users could guess unlimited passwords for the Find my iPhone service on iPhone devices. If malicious parties had found out that password, they could also log in to other iCloud services. The vulnerability came out when Apple came under fire after photos from iCloud accounts of American actresses and other celebrities emerged. It is unknown whether the vulnerability was exploited to steal some or all of the photos.

Following the case with the stolen nude selfies of celebrities, the iCloud administrator has taken action. For example, users are notified when someone logs in from a different device than usual and it encourages users to use two-factor authentication.