Sport & Auto
- About Future
- Digital Future
- Cookies Policy
- Terms & Conditions
- Investor Relations
- Contact Future
The Apple Developer Center has now been down since Thursday, making our initial surprise on Friday that it'd been down for 30 hours seem almost silly. And now the plot thickens further. After Apple finally announced last night that a security breach was responsible for the delay, a self-proclaimed "security researcher" named Ibrahim Balic came forward to admit he may have been responsible.
The 25-year-old Balic initially explained his motivations in a TechCrunch comment. "In total I have found 13 bugs and have reported through http://bugreport.apple.com. The bugs are all reported one by one and Apple was informed. I gave details to Apple as much as I can and I've also added screenshots. One of those bugs have provided me access to users details etc. I immediately reported this to Apple. I have taken 73 users details (all apple inc workers only) and prove them as an example. 4 hours later from my final report Apple developer portal gas closed down and you know it still is."
Most of these bugs, surprisingly enough, dealt with iAd, Apple's advertising platform, as TechCrunch learned after it followed up with Balic for an interview. According to writer Chris Velazco, "That little security issue is centered around Apple’s iAd Workbench, a recently launched tool that lets users craft and target iAd campaigns to better build hype around their iOS apps. Balic discovered that if you manipulated a request sent to the server that runs Workbench, it would allow you to try to add a new user to the account. From there you could try throwing in first names, last names — whatever really — and the server would then respond with a full name and email address."
Balic claims he had good intentions in mind when he broke in, but the way he handled the action may leave him in hot water. Rather than giving Apple time to work out the problem after the report, he claimed he went one step further and downloaded the private information for over 100,000 developers through a Python script. That's a far cry from the actions of most "white hat" hackers, who tend to avoid downloading any user data and certainly not that for 100,000 users.
Balic then defended his actions on a YouTube video (all while neglecting to hide the information in question) that has since been made private. He admitted on Twitter this morning that he'd taken down the video as a way of apologizing for sharing the confidential information. So far, based on his interactions with TechCrunch and his responses on Twitter, he seems like he may really have had good intentions in mind but made bumble after callow bumble in an attempt to get the word out. Rather than a malicious hacker, we seem to be dealing with a young man who just wishes the trouble he's stirred up would just go away.
As Wired reports, though, it may not. Actions similar to Balic's aren't without precedent, most notably in the case of Andrew "Weev" Auernheimer, who demonstrated that you could download the private information for iPad users from AT&T's website. His actions landed him three and a half years in jail.
Follow this article's writer, Leif Johnson, on Twitter.