Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Researcher claims responsibility for security breach at Apple Developer website

Lucian Constantin | July 24, 2013
The researcher says he was able to obtain names and email addresses of users and claims he reported the flaw to Apple.

An independent security researcher claimed responsibility for the security breach incident that forced Apple to close down its Developer Center website last week.

Ibrahim Balic claims that he reported the vulnerability to Apple and didn't act with any malicious intentions, but he confirmed extracting user IDs, names and email addresses from the website.

On Sunday, Apple announced that an intruder broke into its developer website and attempted to download the personal information of users registered on the site. The site had been offline since Thursday.

"Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers' names, mailing addresses, and/or email addresses may have been accessed," the company said in a message posted on the site's home page.

Balic, a security researcher who is based in London, tried to clarify his involvement in the incident via Twitter and in a video posted on YouTube.

"This is definitely not a hack attack; I have reported all the bugs," Balic said Monday on Twitter. "I am not an hacker, I do security research," he said in a separate message.

Balic's name is listed on Facebook's acknowledgement page for security researchers who responsibly reported security issues to the company.

"I reported security bugs to Facebook and Opera before over numerous times," Balic said Tuesday via email.

He posted a video on YouTube in order to demonstrate how the exploit works, but he has since removed it because it exposed the information of some users. The title of the video suggested that he had gained access to the details of over 100,000 Apple Developer Center accounts.

"The video is now removed from YouTube," Balic said on Twitter. "I apologize for sharing some of the confidential information."

He confirmed via email that he obtained the names, email addresses and user IDs associated with over 100,000 Apple Developer Center users.

The vulnerability exploited to extract the information was reported to Apple via the company's "Bug Reporter" system along with other issues, Balic said. Apple shut down the Developer Center website four hours after the last report was sent, he said.

Balic claims that the company did not respond to his reports until today, when he received an email saying that the issues are being investigated.

Apple did not respond to a request for comment filed Monday.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.