Researcher admits to hacking Apple's developer site, says he meant no 'harm or damage'
The hacker who accessed encrypted data from Apple's developer center website says he found and reported 13 bugs to the company, but that he has no intention of accessing or using the encrypted user data he obtained in seeing "how deep" he could go.
In a comment made on TechCrunch, Ibrahim Balic identified himself as a "security researcher" who attempted to point out serious issues to Apple about its Dev Center website. His comments came in response to an admission by Apple on Sunday that its developer website was hacked.
Sensitive personal information included on the registered developers website was encrypted, and Apple does not believe the information can be accessed. But Balic suggested he has been able to obtain some user details as evidence to Apple of an apparent security flaw.
Balic said he found a total of 13 bugs on Apple's site, one of which provided him with access to user information. He claims to have taken 73 user details ? all of whom are Apple employees ? and given them to the company as an example.
But 4 hours after he gave that user data to Apple, the company shut down its Dev Center website. The outage began last Thursday and has remained ever since, while Apple has worked "around the clock" in an effort to patch the apparent security issues.
Balic's public comments are apparently in an effort to clear his name, as he said he's "not feeling very happy" about how the situation has been portrayed. He also said he's concerned about potential legal action against him.
"I did not done this research to harm or damage," he wrote in his comment. "I didn't attempt to publish or have not shared this situation with anybody else. My aim was to report bugs and collect the datas for the porpoise (sic) of seeing how deep I can go within this scope."
The supposed researcher claims that he has obtained more than 100,000 encrypted user details by exploiting bugs on Apple's Dev Center website. In an a video he posted to YouTube, Balic shows a handful of names and email addresses found in raw data allegedly taken from the Dev Center.
"I will be deleting all the datas I have, only got these datas to see just how deep I can go," the video reads. "Also have informed Apple before taking these datas."
In a comment made on TechCrunch, Ibrahim Balic identified himself as a "security researcher" who attempted to point out serious issues to Apple about its Dev Center website. His comments came in response to an admission by Apple on Sunday that its developer website was hacked.
Sensitive personal information included on the registered developers website was encrypted, and Apple does not believe the information can be accessed. But Balic suggested he has been able to obtain some user details as evidence to Apple of an apparent security flaw.
Balic said he found a total of 13 bugs on Apple's site, one of which provided him with access to user information. He claims to have taken 73 user details ? all of whom are Apple employees ? and given them to the company as an example.
But 4 hours after he gave that user data to Apple, the company shut down its Dev Center website. The outage began last Thursday and has remained ever since, while Apple has worked "around the clock" in an effort to patch the apparent security issues.
Balic's public comments are apparently in an effort to clear his name, as he said he's "not feeling very happy" about how the situation has been portrayed. He also said he's concerned about potential legal action against him.
"I did not done this research to harm or damage," he wrote in his comment. "I didn't attempt to publish or have not shared this situation with anybody else. My aim was to report bugs and collect the datas for the porpoise (sic) of seeing how deep I can go within this scope."
The supposed researcher claims that he has obtained more than 100,000 encrypted user details by exploiting bugs on Apple's Dev Center website. In an a video he posted to YouTube, Balic shows a handful of names and email addresses found in raw data allegedly taken from the Dev Center.
"I will be deleting all the datas I have, only got these datas to see just how deep I can go," the video reads. "Also have informed Apple before taking these datas."
Comments
Sue him.
No ifs, ands, or buts.
Exposing real info on utube.
Developers will sue u
Quote:
Originally Posted by rydewnd2
If he's a security researcher and not a hacker, why is he revealing real developers names and other info in a YouTube video? Seems best suited for a white paper or essay no?
Seems to me that he is an "amateur" security research at best in that he doesn't seem to know the rules, and judging by his statement has severe communication difficulties (ESL?) to boot. Sort of like an idiot child burglar who sets off an alarm and when caught tells you that he had no intention to steal, just to see if he could get in. Even if it's true, he's still an idiot.
1) If he could do it, and it's true that Apple didn't do anything until he wrote them about it, then others could also already have obtained such info.
2) Since the website went down, developers are reporting phishing emails pretending to be Apple asking for account confirmations. Beware. Give out no info to such emails.
3) Apple may catch some grief for definitions like "some accounts" ("some" = 100,000+ ) ... "transparency" (waiting over three days to say anything) ... and no "sensitive personal information" was taken (apparently email addresses are not considered sensitive).
Companies and governments are deadly serious about this kind of stuff these days. If he were a real professional he would have known this. Perhaps he was hoping to get hired by Apple because of this? Nope.
The problem is he will be made out to be some kind of hero by a) the hater crowd, b) the wikileaks weirdos, c) C|net, d) MacRumors. And every nerd sitting their parent's basement will now be trying to attack Apple's sites. Oh wait, they already do that all the time.
Quote:
Originally Posted by Gazoobee
judging by his statement has severe communication difficulties (ESL?) to boot.
I assumed English wasn't his first language...
One cannot rob a bank to expose weaknesses, return the money, and claim one intended no harm. A crime is a crime. I'm not saying what this researcher did actually broke any laws, but unauthorized access to a computer system is illegal in a lot of places.
Apple is horrible at responding to weakness emails. They seem to only fix bugs when they are already exploited. This guy is like Snowden, in a way.
It doesn't matter if you did it just to see "HOW DEEP I COULD GO"
you think you can do this to arguably the most power company on the globe and just get off scott free?? UMMMMMM no!!!!!
Second, we have only his word that his version of the story is true. It's possible it is false and he is spreading this story because he fears Apple figured out who did it and he wants to paint himself a hero etc so Apple will be less likely to press charges. Trouble is that he did this 'research' without Apple's approval so he put himself at risk of many laws. If he's in the US he could find himself the next Aaron Schwartz in the eyes of the Federal prosecutors. And while them going after Schwartz as a hacker is debatable its not in this same.
Third, the phishing emails are timed to well not to be connected. And the YouTube video with real folks info not cool
Quote:
Originally Posted by Gazoobee
, and judging by his statement has severe communication difficulties (ESL?) to boot.
Stupid non-English-speaking Turks. I'm sure that your fluency in Turkish would teach him a thing or two!