Media: iCloud could have a data leak that Apple tried to hide
According to The Hacker News, in 2018 a data leak could occur, during which information from users of the iCloud service was disclosed. At the same time, Apple has not officially announced such problems.
What is the problem
The Turkish information security researcher Melih Sevim contacted the journalists. He said that he was able to detect a vulnerability in iCloud, which allowed him to view some of the data of other accounts in the service - for example, notes in the accounts. The researcher was able to access both the data of random accounts and to purposefully disclose information of specific users - for this he needed to know the phone number associated with the service.
According to Melih, he discovered a bug in October 2018 and already in November, within the framework of the policy of responsible disclosure, announced it to Apple, attached instructions on how to reproduce the error and video demonstration of exploiting the vulnerability.
Apple representatives also in November 2018 told the researcher that the error was fixed, but said that the company had discovered it before it was reported. After that, the ticket was closed immediately.
According to the researcher’s explanations, a possible vulnerability has arisen due to the connection of a phone number stored in the billing information of an Apple ID account with an account in iCloud. Such a connection occurred when using the service on the device with the corresponding number.
The researcher's certain manipulations allowed him to save the number associated with someone else's account in iCloud, and then receive partial access to the data of this account.
“Suppose that the mobile number for the account email@example.com is 12345. If I enter the mobile number 12345 in my Apple ID, which is registered at firstname.lastname@example.org, I will be able to see certain data on the abc account in xyz.”According to the researcher, during the experiments, he managed to get access to the notes of iCloud users, which contained a lot of important information - including account information of bank accounts.
Since the vulnerability was contained in the iCloud settings section for iOS devices, Apple was able to fix it in the background via the Internet. To do this, it was not necessary to release a separate iOS update.
Melih provided journalists with correspondence in which Apple Security Team officials confirm the existence of the problem and report that it has already been fixed.
In response to the letter from The Hacker News, Apple also confirmed the vulnerability and said that "it was fixed as early as November 2018," ignoring questions about how long the vulnerability was present in the system, the approximate number of users whose data were disclosed, and Is there evidence of its exploitation by hackers?
Also this week, it became aware of a bug in FaceTime, which allows the caller to gain access to someone else's microphone and camera, even if the call was not answered. Developers were forced to disable Group FaceTime to protect users.
Later it became known that the mother of the teenager who discovered the vulnerabilityI tried to notify Apple a week before it became known. No one responded to her posts in social networks and bug reports.
Positive Technologies researchers also found vulnerabilities in Apple products. So in the summer of 2018, the company released an update for macOS High Sierra 10.13.4, which eliminates the vulnerability in the firmware of personal computers (CVE-2018-4251), discovered by Maxim Goryachiy and Mark Yermolov. The vulnerability allowed to exploit a dangerous error in the subsystem of the Intel Management Engine.