Researcher claims responsibility for security breach at Apple Developer website

The researcher says he was able to obtain names and email addresses of users and claims he reported the flaw to Apple

An independent security researcher claimed responsibility for the security breach incident that forced Apple to close down its Developer Center website last week.

Ibrahim Balic claims that he reported the vulnerability to Apple and didn't act with any malicious intentions, but he confirmed extracting user IDs, names and email addresses from the website.

On Sunday, Apple announced that an intruder broke into its developer website and attempted to download the personal information of users registered on the site. The site had been offline since Thursday.

"Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers' names, mailing addresses, and/or email addresses may have been accessed," the company said in a message posted on the site's home page.

Balic, a security researcher who is based in London, tried to clarify his involvement in the incident via Twitter and in a video posted on YouTube.

"This is definitely not a hack attack; I have reported all the bugs," Balic said Monday on Twitter. "I am not an hacker, I do security research," he said in a separate message.

Balic's name is listed on Facebook's acknowledgement page for security researchers who responsibly reported security issues to the company.

"I reported security bugs to Facebook and Opera before over numerous times," Balic said Tuesday via email.

He posted a video on YouTube in order to demonstrate how the exploit works, but he has since removed it because it exposed the information of some users. The title of the video suggested that he had gained access to the details of over 100,000 Apple Developer Center accounts.

"The video is now removed from YouTube," Balic said on Twitter. "I apologize for sharing some of the confidential information."

He confirmed via email that he obtained the names, email addresses and user IDs associated with over 100,000 Apple Developer Center users.

The vulnerability exploited to extract the information was reported to Apple via the company's "Bug Reporter" system along with other issues, Balic said. Apple shut down the Developer Center website four hours after the last report was sent, he said.

Balic claims that the company did not respond to his reports until today, when he received an email saying that the issues are being investigated.

Apple did not respond to a request for comment filed Monday.

Some people on Twitter and in comments on other websites criticized Balic's decision to download over 100,000 user details and the subsequent exposure of the now-removed YouTube video.

"I continued taking [information] to see how deep I could go," the researcher said Tuesday via email. "I wanted to be heard. I'm not hacking and I didn't do it for bad purposes."

"There has been a lot of debate about the ethical aspects in bug hunting," said Bogdan Botezatu, a senior e-threat analyst at security firm Bitdefender, Tuesday via email. "While penetration testing proves often to be extremely profitable in the long run for both customers and companies, they also have a downside: whenever pen testing is done on production servers, you run the risk of breaking things and taking the respective infrastructure out of business causing more harm than good."

In addition, downloading 100,000 records is overkill for a proof of concept attack and exposes much more users than necessary, Botezatu said.

While the main page of the Apple developer site is currently accessible, the member area still displays Apple's downtime announcement and so are the company's iOS Dev Center, Mac Dev Center and Safari Dev Center websites. Apple said that it is completely overhauling its developer systems.

Tags Appleintrusionsecuritydata breachExploits / vulnerabilitiesprivacy

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?