iCloud Could Have a Data Leak That Apple Tried to Hide

The problem

The Turkish information security researcher Melih Sevim contacted the journalists. He said that he was able to detect a vulnerability in iCloud, which allowed him to view some of the data of other accounts in the service - for example, notes in other people accounts. The researcher was able to access both the data of random accounts and to purposefully disclose information on specific users - for this he needed to know the phone number associated with the service.

According to Melih, he was able to discover this bug in October 2018 and already in November, passed it to Apple. He attached detailed instructions on how to reproduce the bug and provided a video demonstration of exploiting the vulnerability.

Apple representatives told the researcher in November 2018 that the bug was fixed but stressed that the company had detected it before it was reported. After that, the ticket was closed immediately.

According to the researcher’s explanations, this vulnerability has appeared due to the fact that a phone number stored in the billing information of an Apple ID account is connected with an iCloud account. Such a connection occurred when using the service on the device with the corresponding number.

The researcher's certain manipulations allowed him to add and save the number associated with someone else's iCloud account, and then receive partial access to the data of this account.

“Suppose that the mobile number for the account zzz@icloud.com is 012345. If I enter the mobile number 012345 in my Apple ID, which is registered at aaa@icloud.com, I will be able to see certain data on the zzz account.”

According to the researcher, during these experiments, he managed to get access to the notes of iCloud users, which contained a lot of important information - including bank accounts information.

Since the vulnerability was contained in the iCloud settings section for iOS devices, Apple was able to fix it remotely in the background. To do this, it was not necessary to release a separate iOS update.

Apple reaction

Melih provided journalists with messages where Apple Security Team officials confirm the existence of the problem and report that it has already been fixed.

In response to the letter from The Hacker News website, Apple also confirmed the vulnerability and said that: "It was fixed as early as November 2018," ignoring questions about how long the vulnerability was present in the system, the approximate number of users whose data were disclosed, and was there evidence of its exploitation by hackers.

Also recently, it became known of another bug in FaceTime, which allows the caller to gain access to someone else's microphone and camera, even if the call was not answered. Developers were forced to disable Group FaceTime to protect users.

Later it became known that the mother of the teenager who discovered the vulnerability was trying to notify Apple a week before it became known about it. No one responded to her posts in social networks and bug reports.

Positive Technologies researchers also found other vulnerabilities in Apple products. In the summer of 2018, the company released an update for macOS High Sierra 10.13.4, which eliminates the vulnerability in the firmware of personal computers (CVE-2018-4251), discovered by Maxim Goryachiy and Mark Yermolov. The vulnerability allowed to exploit a dangerous error in the subsystem of the Intel Management Engine.

New vulnerabilities appear and get fixed. At the same time, it is also impossible to get rid of numerous new Apple malware appearing on daily basis.