Security researcher claims to have reported bugs shortly before Apple took down its developer portal
London-based security researcher Ibrahim Balic has come forward, claiming he may be the one behind Apple's recent security threat. Following Apple's statement to developers earlier regarding a security threat to the developer portal, Balic posted a comment on TechCrunch's report of the story trying to set the record straight that no harm was ever intended.
In the post, Balic explains that he uncovered 13 bugs while researching Apple's security, and reported them all through Apple's bug reporting site, bugreport.apple.com. One of those bugs allowed him access to developers' user names, email addresses, and possibly other personal information. According to Balic, Apple's developer site went down just a few hours after submitting the last bug report. He has still not been contacted by Apple, but appears frustrated that the incident is being treated as a security threat, asserting that he intended no harm and reported bugs to Apple as they were discovered.
Balic also posted a YouTube video, above, in which he shows some of the data he was able to acquire for several different users where you can see names and email addresses. He also explained in emails with 9to5Mac and The Next Web that the personal information disclosed did not only affect developers, but non-developers as well. The video ends with a written statement from Balic reiterating that he shared the bugs he found with Apple and intends to delete any of the user data he acquired as part of his research.
We won't know for sure if Balic is ultimately responsible for Apple's takedown and subsequent overhaul of the developer portal unless Apple confirms it, but it would be an interesting coincidence if he is not. We have reached out to Balic for comment, but have not yet heard back.
Update: Jim Dalrymple spoke to Apple about the security issues and has posted what he learned on The Loop.
Update 2: Balic has made the YouTube video private since this article was posted.