A computer security researcher claims that he told Apple of a vulnerability in the Apple Developer Center that allowed him to retrieve information on more than 100,000 users… and he’s not at all pleased with how they have responded.
London-based Ibrahim Balic, who says he is hired by firms to find security vulnerabilities in their systems and has previously found security flaws on Facebook, claims that he recently turned his attention to Apple and had found 13 bugs in total.
One of these vulnerabilities, he claims, is the security flaw that caused Apple to shut down its Developer Center last week – eventually blaming an “intruder” for accessing “some developers’ names, mailing addresses, and/or email addresses”.
At the time of writing, Apple’s Developer Center remains closed.
Balic protests that he found the security hole in Apple’s Development Center , and sent details and screenshots of it to Apple via its online bug reporter.
Whether that is accurate or not, one thing is clear. Apple shut down its Developer Center, claiming initially it was down for maintenance and then later warning users that an intruder had attempted to access personal information of the site’s members, and that some identifying information could have been accessed.
Balic, clearly upset to be considered a malicious hacker, turned to Twitter:
Apple!! This is definitely not an hack attack !! I am not an hacker, I do security research
According to a comment he posted on TechCrunch, Balic says he has received no response from Apple, but that the Developer Center was closed down four hours after his last bug report.
He is, perhaps understandably, worried about the possible legal implications.
I have been waiting since then for them to contact me, and today I’m reading news saying that they have been attacked and hacked. In some of the media news I watch/read that whether legal authorities were involved in its investigation of the hack. I’m not feeling very happy with what I read and a bit irritated, as I did not done this research to harm or damage. I didn’t attempt to publish or have not shared this situation with anybody else. My aim was to report bugs and collect the datas for the porpoise of seeing how deep I can go within this scope. I have over 100.000+ users details and Apple is informed about this. I didn’t attempt to get the datas first and report then, instead I have reported first.
I do not want my name to be in blacklist, please search on this situation.
Balic also created a YouTube video, where he appears to show examples of some of the information about members of the Apple Developer Center that he managed to extract from the website – including names and email addresses.
I deliberately haven’t embedded the video in this news report, as Balic made no attempts to obscure the names and details of the individuals.
To my mind, that was highly irresponsible of him. Even though you can’t see 100,000 personal details in the video you can determine *some*, and no-one deserves to have their personal information spread across the web like that without their permission.
Ibrahim Balic may not have been motivated by malice if he did, as appears to be the case, exploit a security hole in Apple’s Developer Center. But he clearly was operating without Apple’s permission.
As such, the extracting of developers’ personal data from the site could be argued to be unauthorised access, and Apple could – if it wanted – pursue legal action against the researcher.
Whether Apple will choose to pursue legal action in this case remains to be seen. Although it may be bad for its brand image to pursue a researcher who doesn’t appear to have had cybercrime in mind, Apple is a very strange company. Who can forget when Apple encouraged police to look into the loss of its iPhone prototype in a bar, which resulted in the editor of Gizmodo having his house raided?
Apple is under new management now, but the possibility remains that it may want to make an example of Ibrahim Balic.
While we wait to see which direction this story next turns in, one thing is clear. Ibrahim Balic will think twice about investigating security holes in Apple’s websites in future.
What do you think? Did the researcher act responsibly, or should have asked permission to probe Apple’s website for security holes first?
I don't see a problem with what he did if it is true. Facebook's bounty problem also allows people to do things without warning them providing they stick to their guidance sheet. (ie. Don't tell anyone about what you did to find the flaw.)
Pentesters have permission. Bug bounties are irrelevant because they too are authorised (and within limits i.e. don't actually compromise the system(s) themselves). He did not. And yes it was very irresponsible of him to not hide the users. To that end I'll agree – he isn't a hacker, not in the original sense (seeing as how he broke all ethics including risking others information (and exposing is bad enough), others that have nothing to do with Apple aside from developing for them or on their platform) and he isn't the malicious kind: he's just an irresponsible researcher that takes things for granted, he broke the law (and claiming to help – if he wanted to help he should have worked WITH them and with their PERMISSION = he wasn't helping, especially not helping responsibly). In other words he did exactly as he claimed not to (I'll not go so far as to call him a liar but it certainly isn't true, what he claims). Hopefully he did learn from it because it was in very poor judgement.