Ibrahim Balic clarifies his activities surrounding Apple's developer center downtime

Ibrahim Balic on what he did, why he feels reponsible for Developer Center downtime, and what he's heard back from Apple since

iMore gets clarification from Ibrahim Balic on the methods he used to test developer center security, the intent behind his video, and Apple's response.

Ibrahim Balic received a lot of attention recently after claiming he may be the person responsible for Apple's ongoing Developer Portal outage. With no further communication or corroboration from Apple, people are still trying to get a clear picture as to exactly what happened last Thursday that prompted Apple to take the site down, and if Balic's actions are truly the cause. In order to get a better handle on what may or may not have happened, and his potential role in it, I communicated with Balic yesterday and asked him a series of questions. Here's what I found out:

Confirming what was originally reported by TechCrunch, the user information shown in Balic's video was not from a developer portal exploit, but was acquired from Apple's iAd Workbench, a tool that lets users create targeted iAd campaigns. With altered web requests, Balic found that by only providing a single piece of user information, first name, last name, etc., he was able to get Apple's servers to return additional information for a matched user account — specifically full name, username and email address.

To better understand the extent of the vulnerability, Balic wrote a Python script that generated random users to throw at Apple's servers in order to get the servers to respond with more account information whenever there was some sort of match. Balic claimed his intent with the script was to better gauge the severity of the bug by trying to get a sense of just how large the pool of vulnerable users was. Getting details for 10 accounts, he claims, tells you that some number of users are affected. Getting details for 100,000 accounts tells you that a tremendous number of users are affected.

Of the 100,000 records, Balic included 73 in his bug report to Apple, all of which belonged to Apple employees. Along with the bug report, he indicated that, with the help of his script, he determined the bug to be quite severe, and included the following note:

I think you should fix it as soon as possible.

So if the bug was in iAd, why does Balic believe he might be responsible for the developer portal outage? Of the 13 bugs that Balic filed with Apple, one of them was a XSS (cross-site scripting) vulnerability in the developer site that could have led to accounts being compromised. In fact, of the 13 total bugs, 12 of them were XSS vulnerabilities in various Apple services that had the potential to expose user details. Balic claims he did not dig as deeply into those.

Another source of contention for many people was the video that Balic uploaded to YouTube (which Balic has since removed). The video showed information for some of the accounts that Balic had retrieved with his script, while a terminal window could be seen in the background that looked like it may have been running his script, capturing information for more accounts. Balic didn't explain why he deemed this exposure necessary. When developers started receiving emails from Apple saying that there had been an intruder, however, Balic claims he wanted to set the record straight - that he was a security researcher finding bugs, not a malicious hacker, and that no harm was intended. Unfortunately the video only seemed to hurt his case.

Balic first heard back from Apple on Tuesday morning about the bugs he'd filed:

Thank you for reporting potential security issues via Apple's Bug Reporter. We take any report of a potential security issue very seriously. This message is being sent to you by a security analyst who has reviewed your notes. The issues are being investigated, and we appreciate the time you have taken to report them to us. If we need additional information, you will hear from us very soon.

Is it possible that Apple would call somebody an intruder, then a few days later send a cordial email thanking them for their reports? Maybe. Is it possible Balic wasn't the only one to have discovered exploits into Apple's developer system, or wasn't the person or persons Apple was referring to as an intruder? Again, absent disclosure from Apple, it's impossible to be certain.

Many people reported getting password reset emails starting around the same time that Apple took their developer portal down. Balic says that this was not caused by him and that the information he was able to obtain (names, email addresses, user IDs) does not put their accounts at risk of being compromised. If you do a quick search, it's easy to find dozens of support threads regarding "suspicious" password reset emails for Apple IDs dating back much further than last Thursday. It's not unreasonable to think that maybe people paid more attention to the emails that would otherwise be dismissed as mistakes, or maybe there's another security threat at play that Balic is not responsible for.

It's easy to wonder if the timeline of Balic's bug reports just happened to coincide with some other attack on Apple's servers. Balic doesn't believe this to be the case since Apple's message to developers specifically mentioned the same data he was able to capture. However, with Balic reporting bugs directly to Apple through their official channel, and no indication of the exploits being shared publicly (at the time), some might find it fair to say that taking down the Apple Developer Portal entirely would be a bit drastic. Why not silently patch the bugs like many other vendors?

Balic claims he wouldn't do anything differently if this were to happen again, but also says he has no plans to test Apple's websites any further (he did want to thank his girlfriend for all of her support).

Seven days later, Apple's developer center remains down, and Apple hasn't issued any further communications about what happened, why, or when service is expected to return. For now, all developers can do is continue to wait.

Nick Arnott

Security editor, breaker of things, and caffeine savant. QA at Double Encore. Writes on neglectedpotential.com about QA & security, and as @noir on Twitter about nothing in particular.

More Posts



← Previously

See Google's next iPad competitor live in San Francisco with Android Central!

Next up →

EE lights up another ten 4G LTE locations in the UK, with double-speed hitting three more

There are 11 comments. Add yours.

Nemesisprimed says:

This is one of the most logical posts about the incident I've read and I'd like to thank Nick for his unbiased and reasonable thoughts, instead of just pointing fingers and busting skulls.

ZeroLeonheart says:

I think iMore does a good job of reporting actual Apple news and not just rumor fluff and link-bait articles. I agree, this is a great post and the best explanation I've read on the matter to date.

kch50428 says:

Not buying it... if one is intent on not doing harm, they don't run a python script and harvest over 100,000 user details.

mimllr says:

Where does it say he harvested over 100,000 user details?

kch50428 says:

The 3rd paragraph of the story above obviously eluded you.... it was also reported on previous stories on this subject.

Dev from tipb says:

Again, if he was out to cause harm, he would not have reported it. If, as others claimed in previous stories, he got caught and was covering his tracks, then you have to think that Apple is so incompetent, and so careless of its developers' personal information, that they would leave a hole open WITH A KNOWN EXPLOIT IN THE WILD for a period of time, and only take action after a known exploiter files a radar issue. That defies belief.

Unless you think Apple is stupid and careless to the point of maliciousness, of course.

Gazoobee says:

It's too bad this guy is so poor at communicating. The story shifts with every telling and while it doesn't seem like he is maliciously or deviously altering it, it's almost impossible even when talking to him directly as the author has done here to actually figure out what he did or didn't do.

He certainly seems to have very sloppy methods and procedures. I think the obvious question is does whether he has "hacker" friends living with him or with access to his computer? He could easily have just told someone what he is doing (in fact if he has friends at all it's likely he showed them), and that *this* person is the "intruder." I certainly wouldn't hire this guy for a security job.

bsbharath1987 says:

too bad, he seems to be good at what he does.

Gazoobee says:

I think the jury is still out on whether he is good or not. The mere act of discovering a flaw is just part of the skill set needed.

Adem Reka says:

As always apple is terribly slow at solving bugs

khobia2 says:

Glad he reported the bugs. As for his intent the jury is still out.