Security researcher claims to have reported bugs shortly before Apple took down its developer portal

Security researcher claims to have reported bugs shortly before Apple took down its developer portal

London-based security researcher Ibrahim Balic has come forward, claiming he may be the one behind Apple's recent security threat. Following Apple's statement to developers earlier regarding a security threat to the developer portal, Balic posted a comment on TechCrunch's report of the story trying to set the record straight that no harm was ever intended.

In the post, Balic explains that he uncovered 13 bugs while researching Apple's security, and reported them all through Apple's bug reporting site, bugreport.apple.com. One of those bugs allowed him access to developers' user names, email addresses, and possibly other personal information. According to Balic, Apple's developer site went down just a few hours after submitting the last bug report. He has still not been contacted by Apple, but appears frustrated that the incident is being treated as a security threat, asserting that he intended no harm and reported bugs to Apple as they were discovered.

Balic also posted a YouTube video, above, in which he shows some of the data he was able to acquire for several different users where you can see names and email addresses. He also explained in emails with 9to5Mac and The Next Web that the personal information disclosed did not only affect developers, but non-developers as well. The video ends with a written statement from Balic reiterating that he shared the bugs he found with Apple and intends to delete any of the user data he acquired as part of his research.

We won't know for sure if Balic is ultimately responsible for Apple's takedown and subsequent overhaul of the developer portal unless Apple confirms it, but it would be an interesting coincidence if he is not. We have reached out to Balic for comment, but have not yet heard back.

Update: Jim Dalrymple spoke to Apple about the security issues and has posted what he learned on The Loop.

Update 2: Balic has made the YouTube video private since this article was posted.

Update 3: We spoke with Ibrahim Balic more about the situation.

Nick Arnott

Security editor, breaker of things, and caffeine savant. QA at POSSIBLE Mobile. Writes on neglectedpotential.com about QA & security, and as @noir on Twitter about nothing in particular.

More Posts

 

0
loading...
0
loading...
60
loading...
0
loading...

← Previously

Apple reveals they took down Developer Center due to intrusion, completely overhauling system

Next up →

Apple reportedly testing larger iPhone and iPad displays

Reader comments

Security researcher claims to have reported bugs shortly before Apple took down its developer portal

9 Comments

This Balic character claims to not have malicious intent... yet he claims to have user data on more than 100,000 accounts... does not pass the smell test with me...

and more than happily displays some of those email addresses on YouTube! He's no "security researcher" he's an idiot

Some people have reported that they have had suspicious change password requests this weekend. Since some of those usernames correspond to imore names, if you were one of those people, were your email addresses exposed in that YouTube video?

If not, it may suggest that Balic posted some email addresses in other channels, or that somebody else has found and exploited these holes in the wild, and is trying to use them before they are closed in the wake of Balic reporting them to Apple.

I woke up this morning saying my account was locked out for security reasons and I was forced to change my ID Password. Thanks idiot!

Sent from the iMore App

It's worth noting that the vulnerability existed before he found it and would have continued to exist if he had not reported it.

He is just covering his tracks. Reporting it to Apple is another cover your tracks. Security research? No, criminal activity? Yes. I am suprised youtube did not take the video down, and shut down his account.

Nah. For that to be true he would have to have the expertise to penetrate Apple's systems while simultaneously being incompetent enough to get caught.

Which is possible, but then as a kicker your assertion also requires:

c) Apple would have to be so careless of its developers that they would leave the holes open and their developer's data exposed *KNOWING THERE WAS AN EXPLOIT IN THE WILD* until the exploiter actually filed a public radar issue.

You can think Balic is an idiot, but if you think that he is covering his tracks after getting caught, you must think far, far less of Apple.