Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: Security researcher claims good intentions in hacking Apple Dev Center

Ted Samson | July 23, 2013
Self-proclaimed white hat admits to breaching Apple Dev Center, but only after warning company of vulnerabilities

Balic claimed that Apple never responded to his reports but has since learned that the company has contacted law enforcement to investigate: "I'm not feeling very happy with what I read and [I am] a bit irritated, as I did not [do] this research to harm or damage," he said. "I didn't attempt to publish or have not shared this situation with anybody else. My aim was to report bugs and collect the data for the [purpose] of seeing how deep I can go within this scope.

"I do not want my name to be in blacklist," he concluded. I'm keeping all the evidences, emails, and images; also I have the records of bugs that I made through Apple bug report."

Balic appears to have lost sympathy from some observers for two reasons: First, he posted the aforementioned video to the public — and neglected to redact the names and email addresses he'd collected. (I had a chance to view the video before Balic changed the privacy setting on YouTube.)

Second, Balic claimed in the same admission that he took only 73 users' details and has "100,000-plus user details." That's an obvious contradiction, though whether Balic took 73 users' details or 100,000, Apple developers should be rightly concerned. The Dev Center clearly has been breached by at least one third party, and Apple is worried enough to have shut down the Dev Center for days to pour time and resources into rebuilding the database and overhauling the site.

Developers also may not find much comfort in Apple's assurances that "sensitive personal information was encrypted and cannot be accessed." If cyber criminals have gotten their hands on developers' contact info, they're a step away from getting their hands on associated password information, either via cracking or spear-phishing. The last thing a developer wants is to have a bad guy take control of his or her developer account and attempt to propagate malware in his or her name.

For the time being, we don't know Balic's true intentions. We don't know someone other than Balic knew about the vulnerability that enabled him to make off with either 73 or 100,000-plus developers' data. What's clear, though, is that if you're an Apple Developer, you need to be mindful that your account may have been breached and to take necessary precautions to change your password as soon as possible.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.