Researcher claims responsibility for security breach at Apple Developer website
An independent security researcher claimed responsibility for the security breach incident that forced Apple to close down its Developer Center website last week.
Ibrahim Balic claims that he reported the vulnerability to Apple and didn’t act with any malicious intentions, but he confirmed extracting user IDs, names and email addresses from the website.
On Sunday, Apple announced that an intruder broke into its developer website and attempted to download the personal information of users registered on the site. The site had been offline since Thursday.
“Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed,” the company said in a message posted on the site’s homepage.
Balic, a security researcher who is based in London, tried to clarify his involvement in the incident via Twitter and in a video posted on YouTube.
Balic’s name is listed on Facebook’s acknowledgement page for security researchers who responsibly reported security issues to the company.
“I reported security bugs to Facebook and Opera before over numerous times,” Balic said Tuesday via email.
He posted a video on YouTube in order to demonstrate how the exploit works, but he has since removed it because it exposed the information of some users. The title of the video suggested that he had gained access to the details of over 100,000 Apple Developer Center accounts.
“The video is now removed from YouTube,” Balic said on Twitter. “I apologize for sharing some of the confidential information.”
He confirmed via email that he obtained the names, email addresses and user IDs associated with over 100,000 Apple Developer Center users.
The vulnerability exploited to extract the information was reported to Apple via the company’s “Bug Reporter” system along with other issues, Balic said. Apple shut down the Developer Center website four hours after the last report was sent, he said.
Balic claims that the company did not respond to his reports until Tuesday, when he received an email saying that the issues are being investigated.
Apple did not respond to a request for comment filed Monday.
Some people on Twitter and in comments on other websites criticized Balic’s decision to download over 100,000 user details and the subsequent exposure of the now-removed YouTube video.
“I continued taking [information] to see how deep I could go,” the researcher said Tuesday via email. “I wanted to be heard. I’m not hacking and I didn’t do it for bad purposes.”
“There has been a lot of debate about the ethical aspects in bug hunting,” said Bogdan Botezatu, a senior e-threat analyst at security firm Bitdefender, Tuesday via email. “While penetration testing proves often to be extremely profitable in the long run for both customers and companies, they also have a downside: whenever pen testing is done on production servers, you run the risk of breaking things and taking the respective infrastructure out of business causing more harm than good.”
In addition, downloading 100,000 records is overkill for a proof of concept attack and exposes much more users than necessary, Botezatu said.
While the main page of the Apple developer site is currently accessible, the member area still displays Apple’s downtime announcement and so are the company’s iOS Dev Center, Mac Dev Center and Safari Dev Center websites. Apple said that it is completely overhauling its developer systems.