It turns out that Apple possibly suffered a privacy breach late last year due to a bug in its platform that might have exposed some of your iCloud data to other users, but the company chose to keep the incident secret… maybe because it was not worth to disclose, or perhaps much more complicated.
Last week, Turkish security researcher Melih Sevim contacted Hack Hex and claimed to have discovered a flaw in Apple services that allowed him to view partial data, especially notes, from random iCloud accounts as well as on targeted iCloud users just by knowing their associated phone numbers.
Melih confirmed Hack Hex that he discovered the alleged flaw in October 2018, and then responsibly reported it to the Apple’s security team with steps to reproduce the bug and a video demonstration, showing how he was able to read personal iCloud data from other Apple users without their knowledge.
“I discovered that when there is an active data transfer between the user and Apple servers if I open my (attacker’s) iCloud account, there is a possibility to view some random data on every refresh due to the bug,” Melih told Hack Hex.
After patching it in November 2018, Apple acknowledged the issue to Melih but responded that the company had already addressed it before receiving details from him.
Apple then immediately closed the ticket and buried the lead.
A Mysterious iCloud Bug
Based upon Melih explanation, the alleged flaw resided in the way Apple “internally” linked, either accidentally or intentionally, a phone number saved in the billing information of an Apple ID to the iCloud account on a device using the same phone number.
According to Melih, after following some specific steps on his iPhone and then saving a new phone number linked to another Apple ID in the billing information related settings on his device, he was able to view partial iCloud data from the account associated with that number.
“Let suppose, if email@example.com’s mobile number is 12345 and when I enter 12345 mobile number to my firstname.lastname@example.org Apple ID account, I could see abc’s data on xyz’s account,” Melih told HH.
“During my researcher, I saw many notes from other Apple users who kept their bank account related information and passwords in the iCloud.”
Since the flaw was in the section of iCloud settings for iOS devices that load from Apple servers in real-time using the Internet, it was silently patched by Apple team from the background without releasing a new iOS update.
If Melih’s report is accurate, the next detail makes the issue more serious…
Melih also confirmed Hack Hex that the text-box asking users to enter a phone number was not validating the user input, thus allowing an attacker even to save a single digit input.
As shown in the video demonstration shared by Melih with HH, the trick eventually exploited the same flaw into fetching personal data from random iCloud accounts matching the input digit to their associated phone numbers.
Apple Acknowledged the Problem, But…
To confirm Melih’s bug and know the full extent of the incident, we reached out to the Apple security team before publishing this article.
In response to Hack Hex email and knowing that we are working on a story, Apple acknowledged the bug report, saying “the issue was corrected back in November,” without responding to some other important questions, including for how many weeks the flaw remained open, the estimated number of affected users (if any) and if there is any evidence of malicious exploitation?
Well, that was weird, but not new…
Later it turned out that Apple was apparently notified of the FaceTime eavesdropping bug over a week ago by a 14-year-old boy before it made headlines, but again, the Apple security team failed to communicate promptly, leaving its millions of users unaware of the issue and at risk.
If the suspected iCloud leak was minor, then Apple could have confirmed us, but it’s silence over the report makes the incident more suspicious.
We’ll update this story as we hear more.