or Connect
AppleInsider › Forums › General › General Discussion › Researcher admits to hacking Apple's developer site, says he meant no 'harm or damage'
New Posts  All Forums:Forum Nav:

Researcher admits to hacking Apple's developer site, says he meant no 'harm or damage'

post #1 of 121
Thread Starter 
The hacker who accessed encrypted data from Apple's developer center website says he found and reported 13 bugs to the company, but that he has no intention of accessing or using the encrypted user data he obtained in seeing "how deep" he could go.

Dev


In a comment made on TechCrunch, Ibrahim Balic identified himself as a "security researcher" who attempted to point out serious issues to Apple about its Dev Center website. His comments came in response to an admission by Apple on Sunday that its developer website was hacked.

Sensitive personal information included on the registered developers website was encrypted, and Apple does not believe the information can be accessed. But Balic suggested he has been able to obtain some user details as evidence to Apple of an apparent security flaw.

Balic said he found a total of 13 bugs on Apple's site, one of which provided him with access to user information. He claims to have taken 73 user details ? all of whom are Apple employees ? and given them to the company as an example.

But 4 hours after he gave that user data to Apple, the company shut down its Dev Center website. The outage began last Thursday and has remained ever since, while Apple has worked "around the clock" in an effort to patch the apparent security issues.

Balic's public comments are apparently in an effort to clear his name, as he said he's "not feeling very happy" about how the situation has been portrayed. He also said he's concerned about potential legal action against him.

"I did not done this research to harm or damage," he wrote in his comment. "I didn't attempt to publish or have not shared this situation with anybody else. My aim was to report bugs and collect the datas for the porpoise (sic) of seeing how deep I can go within this scope."



The supposed researcher claims that he has obtained more than 100,000 encrypted user details by exploiting bugs on Apple's Dev Center website. In an a video he posted to YouTube, Balic shows a handful of names and email addresses found in raw data allegedly taken from the Dev Center.

"I will be deleting all the datas I have, only got these datas to see just how deep I can go," the video reads. "Also have informed Apple before taking these datas."
post #2 of 121
If he's a security researcher and not a hacker, why is he revealing real developers names and other info in a YouTube video? Seems best suited for a white paper or essay no?
post #3 of 121

Sue him.

 

No ifs, ands, or buts.

If you value privacy you can now set DuckDuckGo as your default search engine in iOS and OS X.
Reply
If you value privacy you can now set DuckDuckGo as your default search engine in iOS and OS X.
Reply
post #4 of 121
How naive. Wow.
post #5 of 121
Omg!
Exposing real info on utube.
Developers will sue u
post #6 of 121
I was just jiggling the front door knob. When I found it open, I went inside the house to see if the owners had left anything valuable sitting around. Seeing that they did, I stuck some of it in my bag to prove to them how bad it could have been... but I was never going to to anything "wrong", I promise.
post #7 of 121
Quote:
Originally Posted by rydewnd2 View Post

If he's a security researcher and not a hacker, why is he revealing real developers names and other info in a YouTube video? Seems best suited for a white paper or essay no?

 

Seems to me that he is an "amateur" security research at best in that he doesn't seem to know the rules, and judging by his statement has severe communication difficulties (ESL?) to boot.  Sort of like an idiot child burglar who sets off an alarm and when caught tells you that he had no intention to steal, just to see if he could get in.  Even if it's true, he's still an idiot. 

post #8 of 121
Everyone should have a sense of porpoise in life. So long and thanks for all the fish.
post #9 of 121
What an idiot!
post #10 of 121

1)  If he could do it, and it's true that Apple didn't do anything until he wrote them about it, then others could also already have obtained such info.

 

2)  Since the website went down, developers are reporting phishing emails pretending to be Apple asking for account confirmations.   Beware.  Give out no info to such emails.

 

3)  Apple may catch some grief for definitions like "some accounts" ("some" = 100,000+ ) ... "transparency"  (waiting over three days to say anything) ... and no "sensitive personal information" was taken (apparently email addresses are not considered sensitive).


Edited by KDarling - 7/22/13 at 6:19am
post #11 of 121

Companies and governments are deadly serious about this kind of stuff these days. If he were a real professional he would have known this. Perhaps he was hoping to get hired by Apple because of this? Nope.

 

The problem is he will be made out to be some kind of hero by a) the hater crowd, b) the wikileaks weirdos, c) C|net, d) MacRumors. And every nerd sitting their parent's basement will now be trying to attack Apple's sites. Oh wait, they already do that all the time.

post #12 of 121
Quote:
Originally Posted by Gazoobee View Post

judging by his statement has severe communication difficulties (ESL?) to boot.  

 

I assumed English wasn't his first language...

post #13 of 121

One cannot rob a bank to expose weaknesses, return the money, and claim one intended no harm.  A crime is a crime.  I'm not saying what this researcher did actually broke any laws, but unauthorized access to a computer system is illegal in a lot of places.

 

Apple is horrible at responding to weakness emails.  They seem to only fix bugs when they are already exploited.  This guy is like Snowden, in a way.

post #14 of 121
It seems like the guys wants to be hired by Apple...gosh...even the music in a background sounds like a soundtrack for a white paper when you want to sell yourself to a big company.
post #15 of 121
so i guess hackers can do anything if they just say they are security researchers he had no authority to be there so he should not have been there. Do not tamper with other peoples stuff unless authorized is the first rule for security research.
post #16 of 121
!
post #17 of 121
i would sue!
It doesn't matter if you did it just to see "HOW DEEP I COULD GO"

you think you can do this to arguably the most power company on the globe and just get off scott free?? UMMMMMM no!!!!!
post #18 of 121
He did Apple a valuable service. Good for him. Better him than the NSA.
post #19 of 121
How do we know this guy is legit?
post #20 of 121
First off, call it semantics if you like but he is a hacker. He might see himself as a 'white hat' but he is a hacker.

Second, we have only his word that his version of the story is true. It's possible it is false and he is spreading this story because he fears Apple figured out who did it and he wants to paint himself a hero etc so Apple will be less likely to press charges. Trouble is that he did this 'research' without Apple's approval so he put himself at risk of many laws. If he's in the US he could find himself the next Aaron Schwartz in the eyes of the Federal prosecutors. And while them going after Schwartz as a hacker is debatable its not in this same.

Third, the phishing emails are timed to well not to be connected. And the YouTube video with real folks info not cool

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #21 of 121

Sue his sorry ass. Some people have zero common sense. He deserves whatever comes his way.

Author of The Fuel Injection Bible

Reply

Author of The Fuel Injection Bible

Reply
post #22 of 121
Yeah, right.
post #23 of 121

I don't buy that he's related to the phishing e-mails. I've received Apple phishing e-mails before. I'll bet that all the other scammers see this as a great opportunity to catch some people off guard as many would be worried.

Author of The Fuel Injection Bible

Reply

Author of The Fuel Injection Bible

Reply
post #24 of 121
Quote:
Originally Posted by KDarling View Post

(apparently email addresses are not considered sensitive).

When they use term 'sensitive' they refer to information someone can't easily get by another means
People give out their email addresses all the time. Unlike say your password, credit card info etc

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #25 of 121
Quote:
Originally Posted by hghi View Post

so i guess hackers can do anything if they just say they are security researchers he had no authority to be there so he should not have been there. Do not tamper with other peoples stuff unless authorized is the first rule for security research.

He should have reported the first issue and stopped. Seeing how deep he could go is hacker mentality. I see an arrest in his future. This has not been a small impact to Apple or the developers.
post #26 of 121

If the guy in the AT&T iPad hacking case was charged and convicted, I don't know how the same standard doesn't apply to this supposed "security researcher".

   Apple develops an improved programming language.  Google copied Java.  Everything you need to know, right there.

 

    AT&T believes their LTE coverage is adequate

Reply

   Apple develops an improved programming language.  Google copied Java.  Everything you need to know, right there.

 

    AT&T believes their LTE coverage is adequate

Reply
post #27 of 121
Quote:
Originally Posted by hghi View Post

so i guess hackers can do anything if they just say they are security researchers he had no authority to be there so he should not have been there. Do not tamper with other peoples stuff unless authorized is the first rule for security research.

If you check his email it looks like he's just moonlighting cause doing online market research and advertising isn't going so well

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #28 of 121
Quote:
Originally Posted by JollyPaul View Post

Everyone should have a sense of porpoise in life. So long and thanks for all the fish.

+1. Douglas will be chortling in his grave.

post #29 of 121
Most of your responses are typical responses that I would expect from Apple the company.
Don't thank the guy for exploiting all these security holes. Vilify him! Should he have posted the youtube video before going straight to Apple? probably not. But, God forbid someone with actual evil intent stole all the user data and did something worse with it.

This is eerily similar to the guy a while back that snuck in malware to the app store to prove it could be done and had his developer license revoked. At this point, why would anyone WANT to help Apple avoid their security blunders?
post #30 of 121
Quote:
Originally Posted by GTR View Post

Sue him.

 

No ifs, ands, or buts.

Yes, because I am sure the amount Apple can receive from him in relation to its attorney fees are worthwhile. 

post #31 of 121

For what it's worth...

 

According to the hacker news website below, the reason he went public was because of the way Apple worded their notice that  "... an intruder attempted to secure personal information ..."  

 

Apparently he would've preferred if Apple had said something more like, "we were alerted of a possible vulnerability", since he purposely told them about it without having any nefarious intentions.

 

Quote:

"A UK based security researcher, Ibrahim Balic claims that he reported 13 Vulnerabilities in Apple system, highlighting a hole that could left data from the Developer Center exposed.

 

For proof of concept, he demonstrated the hack on his own 73 employees while reporting to Apple security team. Though he admits that he was able to hack more than 100,000 users, but he did not hack the system for malicious purposes.

 
Security researcher is not happy with Apple's Statement, that cited an attempted security breach as the reason for the developer site outage."

 

http://thehackernews.com/2013/07/apples-developer-center-offline-for-32.html

post #32 of 121
U mean,there is nothing wrong that he utubed the real info ?
post #33 of 121
Quote:
Originally Posted by KDarling View Post

For what it's worth...

According to the hacker news website below, the reason he went public was because of the way Apple worded their notice that  
"... an intruder attempted to secure personal information ..."  


Apparently he would've preferred if Apple had said something more like, "we were alerted of a possible vulnerability", since he purposely told them about it without having any nefarious intentions.

OK but these are all just his claims at this point, right? Has Apple confirmed any of this?
post #34 of 121
Quote:
Originally Posted by applecansuckmyd View Post

All you misinformed and self-righteous people need to understand what he did is and will always be accepted by the computer science and cryptography community as ethical and legal. There is such a thing as whitehat hacking, where someone does penetration testing on a company/website to see how vulnerable it is against real, malicious hackers. If he had simply hacked the Dev website without taking any proof of sensitive information, then Apple would have most likely down-played this situation as some minor breach with no loss of sensitive material. As for all of you calling for him to be sued, you are what's wrong with America today.
U mean,there is nothing wrong that he utubed the real info ?
post #35 of 121
Quote:
Originally Posted by monstrosity View Post

What an idiot!

If all idiots had the talent to do something similar ...

post #36 of 121

He wanted to make a name for himself...   uh.. I think it worked.

His strategy was flawed, if he wanted Apple to appreciate his abilities.

post #37 of 121
I wish people would stop trying to shoot the messenger. In all probability if he were malevolent, we would hear nothing from him. There are always phishing attacks directed at Apple developers which should universally fail. On the other hand this event should allow the minions to do all the things they've wanted and needed to do to improve security.

In any case note that unlike other breaches all sensitive information was encrypted (according to Apple) so it seems this would only help enable phishing attacks which are already prevalent. Except for Apple developers this is just a PR issue. Of course since billions go to developers it is newsworthy but we will see how effective Apple's security has been and how agile the response is.
post #38 of 121
For those curious about how the breach may have occurred:

https://news.ycombinator.com/item?id=6080620
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #39 of 121
Quote:
Originally Posted by applecansuckmyd View Post

All you misinformed and self-righteous people need to understand what he did is and will always be accepted by the computer science and cryptography community as ethical and legal. There is such a thing as whitehat hacking, where someone does penetration testing on a company/website to see how vulnerable it is against real, malicious hackers. If he had simply hacked the Dev website without taking any proof of sensitive information, then Apple would have most likely down-played this situation as some minor breach with no loss of sensitive material. As for all of you calling for him to be sued, you are what's wrong with America today.

Being considered ethical by a small subset of the population does not make an action ethical and it certainly does not have any effect on its legality. The simple fact is that he broke into a private security system without authorization, and should therefore be punished regardless of his intent.

If I find a burglar in my house, I'm going to shoot him. There is no question of intent; he has crossed the line in invading my personal space.

Also, I find your screen name offensive and hope your account gets banned.
post #40 of 121
Quote:
Originally Posted by Rogifan View Post

OK but these are all just his claims at this point, right? Has Apple confirmed any of this?

 

It's doubtful that Apple will ever confirm much, especially since that would only highlight that it's possible that many such intrusions could have taken place without being noticed.

 

That is, if he was able to inject SQL or OGNL into a web request and get this info, others will have tried and succeeded as well.

 

So Apple will want to simply put this behind them as soon as possible.

 

--

 

As to how it's possible in the first, place, well every major corporation runs third party testing software these days just to look for stuff like this.  If you find a problem, you have to fix it or get a security waiver.

 

Part of the problem is that IT groups tend to install updates rather slowly, because they have to test so many related applications.  Plus, you never know what new vulnerabilities the update has.  

 

It's like, damned if you do, and damned if you don't.

 

Therefore website frameworks can easily be a year or more out of date, and it takes something like this to push everyone into action.   It's also why it takes so long to fix.  Everything has to be tested, and that can normally take weeks in the best case.  Here, they have to accelerate that process.

 

Been there, done that.  I am sympathetic towards the pain that Apple's IT group is going through right now.

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › Researcher admits to hacking Apple's developer site, says he meant no 'harm or damage'