Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Self-Outed Security Researcher May Be to Blame for Dev Center Outage

From: InfoSec News <alerts () infosecnews org>
Date: Tue, 23 Jul 2013 06:12:49 +0000 (UTC)
http://www.maclife.com/article/news/selfouted_security_researcher_may_be_blame_dev_center_outage

By Leif Johnson
Maclife.com
July 22, 2013
The Apple Developer Center has now been down since Thursday, making our initial surprise on Friday that it'd been down for 30 hours seem almost silly. And now the plot thickens further. After Apple finally announced last night that a security breach was responsible for the delay, a self-proclaimed "security researcher" named Ibrahim Balic came forward to admit he may have been responsible.
The 25-year-old Balic initially explained his motivations in a TechCrunch comment. "In total I have found 13 bugs and have reported through http://bugreport.apple.com. The bugs are all reported one by one and Apple was informed. I gave details to Apple as much as I can and I've also added screenshots. One of those bugs have provided me access to users details etc. I immediately reported this to Apple. I have taken 73 users details (all apple inc workers only) and prove them as an example. 4 hours later from my final report Apple developer portal gas closed down and you know it still is."
Most of these bugs, surprisingly enough, dealt with iAd, Apple's advertising platform, as TechCrunch learned after it followed up with Balic for an interview. According to writer Chris Velazco, "That little security issue is centered around Appleā€™s iAd Workbench, a recently launched tool that lets users craft and target iAd campaigns to better build hype around their iOS apps. Balic discovered that if you manipulated a request sent to the server that runs Workbench, it would allow you to try to add a new user to the account. From there you could try throwing in first names, last names -- whatever really -- and the server would then respond with a full name and email address."
Balic claims he had good intentions in mind when he broke in, but the way he handled the action may leave him in hot water. Rather than giving Apple time to work out the problem after the report, he claimed he went one step further and downloaded the private information for over 100,000 developers through a Python script. That's a far cry from the actions of most "white hat" hackers, who tend to avoid downloading any user data and certainly not that for 100,000 users. 

[...]


--
Find the best InfoSec talent without breaking your budget!
Post a Job! $99 for 31 days
http://www.hotinfosecjobs.com/
Previous By Date Next
Previous By Thread Next

Current thread: