Researcher claims responsibility for security breach at Apple Developer website

The researcher says he was able to obtain names and email addresses of users and claims he reported the flaw to Apple

An independent security researcher claimed responsibility for the security breach incident that forced Apple to close down its Developer Center website last week.

Ibrahim Balic claims that he reported the vulnerability to Apple and didn't act with any malicious intentions, but he confirmed extracting user IDs, names and email addresses from the website.

On Sunday, Apple announced that an intruder broke into its developer website and attempted to download the personal information of users registered on the site. The site had been offline since Thursday.

"Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers' names, mailing addresses, and/or email addresses may have been accessed," the company said in a message posted on the site's home page.

Balic, a security researcher who is based in London, tried to clarify his involvement in the incident via Twitter and in a video posted on YouTube.

"This is definitely not a hack attack; I have reported all the bugs," Balic said Monday on Twitter. "I am not an hacker, I do security research," he said in a separate message.

Balic's name is listed on Facebook's acknowledgement page for security researchers who responsibly reported security issues to the company.

"I reported security bugs to Facebook and Opera before over numerous times," Balic said Tuesday via email.

He posted a video on YouTube in order to demonstrate how the exploit works, but he has since removed it because it exposed the information of some users. The title of the video suggested that he had gained access to the details of over 100,000 Apple Developer Center accounts.

"The video is now removed from YouTube," Balic said on Twitter. "I apologize for sharing some of the confidential information."

He confirmed via email that he obtained the names, email addresses and user IDs associated with over 100,000 Apple Developer Center users.

The vulnerability exploited to extract the information was reported to Apple via the company's "Bug Reporter" system along with other issues, Balic said. Apple shut down the Developer Center website four hours after the last report was sent, he said.

Balic claims that the company did not respond to his reports until today, when he received an email saying that the issues are being investigated.

Apple did not respond to a request for comment filed Monday.

Some people on Twitter and in comments on other websites criticized Balic's decision to download over 100,000 user details and the subsequent exposure of the now-removed YouTube video.

"I continued taking [information] to see how deep I could go," the researcher said Tuesday via email. "I wanted to be heard. I'm not hacking and I didn't do it for bad purposes."

"There has been a lot of debate about the ethical aspects in bug hunting," said Bogdan Botezatu, a senior e-threat analyst at security firm Bitdefender, Tuesday via email. "While penetration testing proves often to be extremely profitable in the long run for both customers and companies, they also have a downside: whenever pen testing is done on production servers, you run the risk of breaking things and taking the respective infrastructure out of business causing more harm than good."

In addition, downloading 100,000 records is overkill for a proof of concept attack and exposes much more users than necessary, Botezatu said.

While the main page of the Apple developer site is currently accessible, the member area still displays Apple's downtime announcement and so are the company's iOS Dev Center, Mac Dev Center and Safari Dev Center websites. Apple said that it is completely overhauling its developer systems.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags privacyAppleintrusionExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?