An independent security researcher claimed responsibility for the security breach incident that forced Apple to close down its Developer Center website last week.
Ibrahim Balic claims that he reported the vulnerability to Apple and didn't act with any malicious intentions, but he confirmed extracting user IDs, names, and email addresses from the website.
[ Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
On Sunday, Apple announced that an intruder broke into its developer website and attempted to download the personal information of users registered on the site. The site had been offline since Thursday.
"Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers' names, mailing addresses, and/or email addresses may have been accessed," the company said in a message posted on the site's home page.
Balic, a security researcher who is based in London, tried to clarify his involvement in the incident via Twitter and in a video posted on YouTube.
"This is definitely not a hack attack; I have reported all the bugs," Balic said Monday on Twitter. "I am not an hacker, I do security research," he said in a separate message.
Balic's name is listed on Facebook's acknowledgement page for security researchers who responsibly reported security issues to the company.
"I reported security bugs to Facebook and Opera before over numerous times," Balic said Tuesday via email.
He posted a video on YouTube in order to demonstrate how the exploit works, but he has since removed it because it exposed the information of some users. The title of the video suggested that he had gained access to the details of over 100,000 Apple Developer Center accounts.
"The video is now removed from YouTube," Balic said on Twitter. "I apologize for sharing some of the confidential information."
He confirmed via email that he obtained the names, email addresses and user IDs associated with over 100,000 Apple Developer Center users.
The vulnerability exploited to extract the information was reported to Apple via the company's "Bug Reporter" system along with other issues, Balic said. Apple shut down the Developer Center website four hours after the last report was sent, he said.
Balic claims that the company did not respond to his reports until today, when he received an email saying that the issues are being investigated.
Apple did not respond to a request for comment filed Monday.
Some people on Twitter and in comments on other websites criticized Balic's decision to download over 100,000 user details and the subsequent exposure of the now-removed YouTube video.
No comments:
Post a Comment