A Turkish high school student who recently discovered a vulnerability in Apple’s in-app payment system used in games has now found another, more serious problem with the tech giant’s software.
Phone news and reviews website Antutu says the student, Huseyin Coban, first found out that a sequence of steps he followed while making in-game purchases allowed users to buy items worth up to 60,000 Turkish liras (about $10,000).
He contacted Apple with his discovery, and was sent a thank-you email and a reward of 300 lira (just over $50). Coban said he was disappointed with the prize, but not discouraged from trying to find more vulnerabilities.
And he allegedly found one that could have wide-spread ramifications: the student claims he can access celebrity accounts, including their photos, using iCloud passwords.
Double your web browsing speed with today's sponsor. Get Brave.
However, Coban, who has decided to go public with the discovery, doesn’t want to explain how he is able to hack into other people’s accounts. That’s because this time, he considers the reward Apple is willing to offer too low – even if it is a considerable step-up from the $50 he got for his first bug.
Coban says Apple – with whom he communicated via email and phone – asked him to explain the exploit and offered $220,000 in return. But he said he is receiving offers of “five times” that amount, presumably from malicious actors – which, given the black market value of personal content stolen from celebrities, probably isn’t that far-fetched a claim.
And while he is sitting tight regarding his price, Coban did share with Turkish media that it was actually “very easy” to access celebrities’ accounts on iCloud. The student at the same time promised that he would not share his findings with malicious parties that are allegedly offering in the range of a million dollars for a chance to buy the vulnerability.
But he did make a remark about its importance. Almost all famous people in Turkey use Apple phones, Coban said. In other words, a lot of damage could be done if the exploit falls into the wrong hands.