Researcher admits to hacking Apple's developer site, says he meant no 'harm or damage'

Posted:
in General Discussion edited January 2014
The hacker who accessed encrypted data from Apple's developer center website says he found and reported 13 bugs to the company, but that he has no intention of accessing or using the encrypted user data he obtained in seeing "how deep" he could go.

Dev


In a comment made on TechCrunch, Ibrahim Balic identified himself as a "security researcher" who attempted to point out serious issues to Apple about its Dev Center website. His comments came in response to an admission by Apple on Sunday that its developer website was hacked.

Sensitive personal information included on the registered developers website was encrypted, and Apple does not believe the information can be accessed. But Balic suggested he has been able to obtain some user details as evidence to Apple of an apparent security flaw.

Balic said he found a total of 13 bugs on Apple's site, one of which provided him with access to user information. He claims to have taken 73 user details ? all of whom are Apple employees ? and given them to the company as an example.

But 4 hours after he gave that user data to Apple, the company shut down its Dev Center website. The outage began last Thursday and has remained ever since, while Apple has worked "around the clock" in an effort to patch the apparent security issues.

Balic's public comments are apparently in an effort to clear his name, as he said he's "not feeling very happy" about how the situation has been portrayed. He also said he's concerned about potential legal action against him.

"I did not done this research to harm or damage," he wrote in his comment. "I didn't attempt to publish or have not shared this situation with anybody else. My aim was to report bugs and collect the datas for the porpoise (sic) of seeing how deep I can go within this scope."



The supposed researcher claims that he has obtained more than 100,000 encrypted user details by exploiting bugs on Apple's Dev Center website. In an a video he posted to YouTube, Balic shows a handful of names and email addresses found in raw data allegedly taken from the Dev Center.

"I will be deleting all the datas I have, only got these datas to see just how deep I can go," the video reads. "Also have informed Apple before taking these datas."
«134567

Comments

  • Reply 1 of 125
    rydewnd2rydewnd2 Posts: 14member
    If he's a security researcher and not a hacker, why is he revealing real developers names and other info in a YouTube video? Seems best suited for a white paper or essay no?
  • Reply 2 of 125
    gtrgtr Posts: 3,231member


    Sue him.


     


    No ifs, ands, or buts.

  • Reply 3 of 125
    squuiidsquuiid Posts: 51member
    How naive. Wow.
  • Reply 4 of 125
    Omg!
    Exposing real info on utube.
    Developers will sue u
  • Reply 5 of 125
    I was just jiggling the front door knob. When I found it open, I went inside the house to see if the owners had left anything valuable sitting around. Seeing that they did, I stuck some of it in my bag to prove to them how bad it could have been... but I was never going to to anything "wrong", I promise.
  • Reply 6 of 125
    gazoobeegazoobee Posts: 3,754member

    Quote:

    Originally Posted by rydewnd2 View Post



    If he's a security researcher and not a hacker, why is he revealing real developers names and other info in a YouTube video? Seems best suited for a white paper or essay no?


     


    Seems to me that he is an "amateur" security research at best in that he doesn't seem to know the rules, and judging by his statement has severe communication difficulties (ESL?) to boot.  Sort of like an idiot child burglar who sets off an alarm and when caught tells you that he had no intention to steal, just to see if he could get in.  Even if it's true, he's still an idiot. 

  • Reply 7 of 125
    jollypauljollypaul Posts: 328member
    Everyone should have a sense of porpoise in life. So long and thanks for all the fish.
  • Reply 8 of 125
    monstrositymonstrosity Posts: 2,182member
    What an idiot!
  • Reply 9 of 125
    kdarlingkdarling Posts: 1,640member


    1)  If he could do it, and it's true that Apple didn't do anything until he wrote them about it, then others could also already have obtained such info.


     


    2)  Since the website went down, developers are reporting phishing emails pretending to be Apple asking for account confirmations.   Beware.  Give out no info to such emails.


     


    3)  Apple may catch some grief for definitions like "some accounts" ("some" = 100,000+ ) ... "transparency"  (waiting over three days to say anything) ... and no "sensitive personal information" was taken (apparently email addresses are not considered sensitive).

  • Reply 10 of 125
    lkrupplkrupp Posts: 6,608member


    Companies and governments are deadly serious about this kind of stuff these days. If he were a real professional he would have known this. Perhaps he was hoping to get hired by Apple because of this? Nope.


     


    The problem is he will be made out to be some kind of hero by a) the hater crowd, b) the wikileaks weirdos, c) C|net, d) MacRumors. And every nerd sitting their parent's basement will now be trying to attack Apple's sites. Oh wait, they already do that all the time.

  • Reply 11 of 125
    blackbookblackbook Posts: 1,361member

    Quote:

    Originally Posted by Gazoobee View Post


    judging by his statement has severe communication difficulties (ESL?) to boot.  



     


    I assumed English wasn't his first language...

  • Reply 12 of 125
    eriamjheriamjh Posts: 1,096member


    One cannot rob a bank to expose weaknesses, return the money, and claim one intended no harm.  A crime is a crime.  I'm not saying what this researcher did actually broke any laws, but unauthorized access to a computer system is illegal in a lot of places.


     


    Apple is horrible at responding to weakness emails.  They seem to only fix bugs when they are already exploited.  This guy is like Snowden, in a way.

  • Reply 13 of 125
    It seems like the guys wants to be hired by Apple...gosh...even the music in a background sounds like a soundtrack for a white paper when you want to sell yourself to a big company.
  • Reply 14 of 125
    hghihghi Posts: 2member
    so i guess hackers can do anything if they just say they are security researchers he had no authority to be there so he should not have been there. Do not tamper with other peoples stuff unless authorized is the first rule for security research.
  • Reply 15 of 125
    hghihghi Posts: 2member
    !
  • Reply 16 of 125
    i would sue!
    It doesn't matter if you did it just to see "HOW DEEP I COULD GO"

    you think you can do this to arguably the most power company on the globe and just get off scott free?? UMMMMMM no!!!!!
  • Reply 17 of 125
    He did Apple a valuable service. Good for him. Better him than the NSA.
  • Reply 18 of 125
    rogifanrogifan Posts: 10,669member
    How do we know this guy is legit?
  • Reply 19 of 125
    charlitunacharlituna Posts: 7,198member
    First off, call it semantics if you like but he is a hacker. He might see himself as a 'white hat' but he is a hacker.

    Second, we have only his word that his version of the story is true. It's possible it is false and he is spreading this story because he fears Apple figured out who did it and he wants to paint himself a hero etc so Apple will be less likely to press charges. Trouble is that he did this 'research' without Apple's approval so he put himself at risk of many laws. If he's in the US he could find himself the next Aaron Schwartz in the eyes of the Federal prosecutors. And while them going after Schwartz as a hacker is debatable its not in this same.

    Third, the phishing emails are timed to well not to be connected. And the YouTube video with real folks info not cool
  • Reply 20 of 125
    barthrhbarthrh Posts: 84member

    Quote:

    Originally Posted by Gazoobee View Post


     


    , and judging by his statement has severe communication difficulties (ESL?) to boot. 



     


    Stupid non-English-speaking Turks. I'm sure that your fluency in Turkish would teach him a thing or two!

Sign In or Register to comment.