iMore gets clarification from Ibrahim Balic on the methods he used to test developer center security, the intent behind his video, and Apple's response.
Ibrahim Balic received a lot of attention recently after claiming he may be the person responsible for Apple's ongoing Developer Portal outage. With no further communication or corroboration from Apple, people are still trying to get a clear picture as to exactly what happened last Thursday that prompted Apple to take the site down, and if Balic's actions are truly the cause. In order to get a better handle on what may or may not have happened, and his potential role in it, I communicated with Balic yesterday and asked him a series of questions. Here's what I found out:
Confirming what was originally reported by TechCrunch, the user information shown in Balic's video was not from a developer portal exploit, but was acquired from Apple's iAd Workbench, a tool that lets users create targeted iAd campaigns. With altered web requests, Balic found that by only providing a single piece of user information, first name, last name, etc., he was able to get Apple's servers to return additional information for a matched user account — specifically full name, username and email address.
To better understand the extent of the vulnerability, Balic wrote a Python script that generated random users to throw at Apple's servers in order to get the servers to respond with more account information whenever there was some sort of match. Balic claimed his intent with the script was to better gauge the severity of the bug by trying to get a sense of just how large the pool of vulnerable users was. Getting details for 10 accounts, he claims, tells you that some number of users are affected. Getting details for 100,000 accounts tells you that a tremendous number of users are affected.
Of the 100,000 records, Balic included 73 in his bug report to Apple, all of which belonged to Apple employees. Along with the bug report, he indicated that, with the help of his script, he determined the bug to be quite severe, and included the following note:
I think you should fix it as soon as possible.
So if the bug was in iAd, why does Balic believe he might be responsible for the developer portal outage? Of the 13 bugs that Balic filed with Apple, one of them was a XSS (cross-site scripting) vulnerability in the developer site that could have led to accounts being compromised. In fact, of the 13 total bugs, 12 of them were XSS vulnerabilities in various Apple services that had the potential to expose user details. Balic claims he did not dig as deeply into those.
Another source of contention for many people was the video that Balic uploaded to YouTube (which Balic has since removed). The video showed information for some of the accounts that Balic had retrieved with his script, while a terminal window could be seen in the background that looked like it may have been running his script, capturing information for more accounts. Balic didn't explain why he deemed this exposure necessary. When developers started receiving emails from Apple saying that there had been an intruder, however, Balic claims he wanted to set the record straight - that he was a security researcher finding bugs, not a malicious hacker, and that no harm was intended. Unfortunately the video only seemed to hurt his case.
Balic first heard back from Apple on Tuesday morning about the bugs he'd filed:
Thank you for reporting potential security issues via Apple's Bug Reporter. We take any report of a potential security issue very seriously. This message is being sent to you by a security analyst who has reviewed your notes. The issues are being investigated, and we appreciate the time you have taken to report them to us. If we need additional information, you will hear from us very soon.
Is it possible that Apple would call somebody an intruder, then a few days later send a cordial email thanking them for their reports? Maybe. Is it possible Balic wasn't the only one to have discovered exploits into Apple's developer system, or wasn't the person or persons Apple was referring to as an intruder? Again, absent disclosure from Apple, it's impossible to be certain.
Many people reported getting password reset emails starting around the same time that Apple took their developer portal down. Balic says that this was not caused by him and that the information he was able to obtain (names, email addresses, user IDs) does not put their accounts at risk of being compromised. If you do a quick search, it's easy to find dozens of support threads regarding "suspicious" password reset emails for Apple IDs dating back much further than last Thursday. It's not unreasonable to think that maybe people paid more attention to the emails that would otherwise be dismissed as mistakes, or maybe there's another security threat at play that Balic is not responsible for.
It's easy to wonder if the timeline of Balic's bug reports just happened to coincide with some other attack on Apple's servers. Balic doesn't believe this to be the case since Apple's message to developers specifically mentioned the same data he was able to capture. However, with Balic reporting bugs directly to Apple through their official channel, and no indication of the exploits being shared publicly (at the time), some might find it fair to say that taking down the Apple Developer Portal entirely would be a bit drastic. Why not silently patch the bugs like many other vendors?
Balic claims he wouldn't do anything differently if this were to happen again, but also says he has no plans to test Apple's websites any further (he did want to thank his girlfriend for all of her support).
Seven days later, Apple's developer center remains down, and Apple hasn't issued any further communications about what happened, why, or when service is expected to return. For now, all developers can do is continue to wait.