Developers look over new apps being displayed on iPads at the Apple Worldwide Developers Conference 2013 in San Francisco. Photo: AP/Eric RisbergAfter Apple’s main developer portal was down for maintenance for three days, the company fessed up and revealed that the Developer Center website was compromised by an intruder late last week. The purported “hacker,” it turns out, was a well-meaning independent security researcher. Even though his actions were supposedly benevolent, the researcher could be in hot water if Apple decides to take legal action.
“Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website,” Apple wrote in an email to developers. “Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed.”
‘I needed to be heard, and I guess I successfully have.’ — Ibrahim Balic, the security researcher responsible for the Developer Center website’s downtime
The Developer Center is still down today. Apple said it’s “completely overhauling” its developer systems, which includes re-architecting its whole developer database and updating its server software.
Developers, while disconcerted that a security breach happened, feel confident that Apple handled the situation well.
“It seemed to take a long time for Apple to share what was going on, but I’d rather hear an accurate statement of what was compromised than a vague, possibly inaccurate statement,” Zac White, head iOS developer with Velos Mobile, told WIRED.
Apple did not disclose precise details about how the intruder gained access to its systems, but shortly after the company’s public announcement, an independent security researcher named Ibrahim Balic came forward to say he’s the one responsible for the downtime.
Balic was doing research on Apple’s website, discovering and submitting a total of 13 issues to its bug-reporting platform. While some of these were minor XSS scripting bugs, one of the issues he found gave him access to user information like the developer’s full name, email address, and user ID. Balic hasn’t elaborated on what bug allowed him to see this data, or how it worked. Four hours after submitting this bug, Balic says Apple shut down its developer portal. Then, on Sunday, Apple issued its email saying that an intruder had gained access to developer information.
That same day, Balic made a YouTube video (which has since been made private) to argue that “the blame was wrong.” Balic says he wanted to justify himself and show that he was not acting with bad intentions, and that he is not a malicious hacker. “I helped them find some important bugs that should be considered,” Balic said in an email. He switched the YouTube video from public to private on Monday in order to protect users’ confidentiality — in some of the screenshots the video included, users’ email addresses were visible.
“I needed to be heard, and I guess I successfully have,” Balic said. He does not plan on sharing any of the user data he uncovered, and says developers should not be scared, as nothing has been stolen from them.
Unfortunately, based on historical precedent, Balic could be in trouble for his well-intentioned actions.
In 2012, 26-year old Andrew Auernheimer was found guilty of identity fraud and conspiracy to access a computer without authorization. Two years previous, he had uncovered a hole in AT&T’s website that allowed anyone to access iPad users’ e-mail addresses and ICC-IDs, an identifier used in authenticating an iPad user’s SIM card. “Weev,” as Auernheimer is better known, was sentenced to three and a half years in jail under the Computer Fraud and Abuse Act — the same law used against Aaron Schwartz.
Balic is not concerned that Apple will take legal action against his investigative security efforts. “I don’t think I should be worried, because I did not do anything bad towards Apple company and to their prestige,” Balic says. He also says he did not want the situation to blow up as it did — he was simply alerting Apple to a security issue with its developer system. As a professional security worker, he “could not stay in silence” after the company made its public announcement this weekend.
Balic has contacted Apple “several times” to get more information about what is going on, but has not gotten a response back.
Updated 3:43 PM PST to reflect the Dev Center is still down.
View the original article here
0 comments:
Post a Comment