Apple hack conducted for the greater good of research

Apple hack conducted for the greater good of research

Summary: A security researcher has stepped up and shouldered the blame for taking down Apple's Dev Center --all in the name of blowing the whistle on bugs.

SHARE:
TOPICS: Apple, Security
26
dev-center-down-620x392

Ibrahim Balic has admitted to taking down Apple's developer portal -- but wants to make the difference between a hacker and security researcher crystal clear.

Earlier this month, Apple's members-only development center, the Dev Center, experience a service outage. The site declared that the portal was "undergoing maintenance for an extended period," and the downtime spurred on a wave of grumbling across social media as developers were left in limbo.

The home page is now accessible, but the members-only area remains closed.

Downloads, guides, support, forums and developer tools all remain inaccessible. As beta testing for the latest Apple operating system is taking place for app developers, it seemed unlikely that maintenance was the true reason -- and once reports appeared that some users were receiving password reset emails, worries of a security breach began to surface.

Over the weekend, Apple revealed that "an intruder attempted to secure personal information of our registered developers from [the] developer website" in an email sent to developers. As a result, the Cupertino-based firm said it was working to prevent such a breach taking place again.

Taking to Twitter, London-based researcher Ibrahim Balic then claimed responsibility for the service outage.

Screen Shot 2013-07-24 at 09.17.30

Rather than being conducted with malicious intent, the researcher says that flaws were exposed in the name of research. After reports suggested that the security breach was potentially caused by cybercriminals seeking confidential developer information, Balic tweeted:

"This is definitely not a hack attack, I have reported all the bugs. I am not a hacker, I do security research."

Following the disclosure, Balic came under Apple's scrutiny, which has now contacted him via email to discuss the security vulnerabilities in the portal.

BP2RH25CQAMR5g3

According to The Next Web, Balic's research discovered a total of 13 flaws, which were reported to the iPad and iPhone maker, and were also revealed in an uploaded video before being pulled. The researcher claims he was able to access the data of over 100,000 users.

 Apple's Dev Center homepage now reads.

"In order to prevent a security threat like this from happening again, we're completely overhauling our developer systems, updating our server software, and rebuilding our entire database."

Topics: Apple, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

26 comments
Log in or register to join the discussion
  • It is very important

    that companies do not go after guys like this. The lawyers' instincts are always to do that, but their companies benefit greatly from people doing this kind of research without actually doing damage.
    Mac_PC_FenceSitter
    • It's a tough call

      People should be hired to do this, not take it on their own.

      We only have his word that he did it for the reasons he claimed. He could have taken what he needed, called Apple to report the bugs, all in an effort to look like the good guy.

      I wonder if breaking into someone's home could be explained away as "security research" as easily?
      William Farrel
      • In this particular case,

        someone needed to break into the house that Macs and iDevices built. Apple has always been rather lax when it comes to OS security, and security in general.
        Champ_Kind
      • Yes

        Well, if you leave your door open and someone help you by closing it, surely yes. Would you prefer that person leaving it open while you are away until a thief gets in? Should that person be prosecuted for seeing the door open?
        Santiago Alzate
  • Kudos to Apple

    They act quickly wen they see a REAL threat!

    Kudos!
    Gr8Music
  • I hope Apple does NOT kill the messenger!

    :-(
    kd5auq
    • When you steal 100,000 records, you're no longer a messenger.

      And if Apple has to contact you about it after that fact, you're not really a researcher.

      This guy is obviously smart about computers, networking and security, but he's dumb about the law, PR and the reality of the "real world."
      matthew_maurice
      • Lets all dig deep in our pockets for change...

        And see if we can give matthew_maurice some common cents.

        When you spend a big chunk of your time working on vulnerabilities like this, you don't put it on a resume', email it to Apple, and hope they hire you or compensate you for your time/discovery… Well, you might, but someone who knows how to get paid for their work doesn’t.
        i8thecat4
  • Marketing win. Fixed for god. Love it.

    ""In order to prevent a security threat like this from happening again"

    Yes, it means, well once our creaking bones have fixed this current hole fixed.
    You have to love Apple, marketing through and though.

    100's more of the same and you know it, but with downtime usually shorter you always get to stay stum.
    They have more lawyer salesmen than 1 mr fixits.
    albionstreet
  • The sunny side of the street

    developer.apple.com/membercenter/

    Say 'back soon' as of the 24th

    6 days gone, a full week tomorrow
    Gone up in a puff of smoke has it?
    ON another planets an 1 hour outage is difficult , a day very bad news, 6 days a catastrophe.
    albionstreet
    • new apps

      and even submitting brand new apps is a pain now, not everything works smoothly you have to contact support etc..

      I wonder how it all ends for Ibrahim. Good luck!
      ksmolka
    • Kudos to apple for acting so quickly

      n/t
      Little Old Man
  • Fix it with PR

    when your PR department is bigger than your R&D, you use PR to fix everything.
    warboat
  • Typical. Excusing thug behavior

    because it's for the "greater good." A lot of bad things have been done in that name throughout history.

    What we really have here is a spoiled brat who didn't think Apple was taking him seriously enough, so he was going to show them who's in charge.
    baggins_z
    • read it properly

      he didn't hack Apple.
      Apple PR is trying to make it out as a hacking/security problem.
      he highlighted the flaws in Apple's systems as flaws and not just the result of an attack.
      Apple pulls down system for "maintenance" while Apple PR has a week long meeting to work out a FIX for their image.
      warboat
  • I'm not buying it.

    It's one thing to discover flaws. It's another to disrupt access to a site. Especially for such an extended period of time. I'm also not buying Apple's explanation that they're completely revamping the site.
    ye
    • He didn't disrupt access to their site

      From_what_I've_read,_that_was_apple's_decision_to_take_the_site_down._This_is_because_osx_security_is_flawed_by_design._That's_why_they_need_a_complete_rewrite_and_why_they_took_the_site_down._I_know_the_wording_of_the_blog_is_poor_but_I_don't_think_Ibrahim_ever_said_he_actually_took_the_site_down,_only_that_apple_took_the_site_down_because_he_exposed_just_how_piss_poor_their_security_is.

      I_also_laugh_about_this_PR_statement_from_apple:
      "an_intruder_attempted_to_secure_personal_information_of_our_registered_developers"

      Nope._An_intruder_DID_secure_personal_information.

      What_I've_never_seen_explained_is_why,_at_the_exact_same_time_this_innocent_hack_occurred,_thousands_upon_thousands_of_apple_dev_account_password_reset_emails_were_sent_out._Was_this_a_side_effect_of_stealing_the_info_or_is_there_a_cover_up_going_on_here?_Is_Ibrahim_an_apple_invention_in_order_to_make_it_seem_like_no_"bad_guys"_have_ever_broken_into_the_dev_site?_Folks,_these_bugs_have_been_out_there_forever._It_would_be_naive_to_assume_they've_never_been_used_before._This_would_probably_explain_why_so_many_apple_devs_have_fallen_prey_to_identity_theft.

      Folks,_it_simply_isn't_safe_to_be_an_apple_developer._Even_apple_admits_that_they_can't_design_a_secure_system.
      toddbottom3
      • Spam filter?

        nt
        ye
        • I've stopped struggling with it

          This is far easier.
          toddbottom3
          • I can't believe my profanity laced post didn't get their attention.

            Amazing.
            ye