Security researcher claims responsibility for Apple breach

The Apple Developer Center has been down over the past four days, and it has only recently began to come back online, with the main pages and forums back in operation (although the main members area is still down). Apple’s statement reads as follows:

We’ll be back soon.

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.

If your program membership was set to expire during this period, it has been extended and your app will remain on the App Store. If you have any other concerns about your account, please contact us.

Thank you for your patience.

Enter Ibrahim Balic, a security researcher based in the United Kingdom. He claims to be the man responsible for the initial attempt on the Developer Center and found seven bugs, which he later reported to Apple. In a YouTube video (which he later made private), he showed the personal data of 73 Apple employees to prove that the exploit existed to Apple, whilst saying that the data of over 100,000 developers was also accessed when he broke into the system. Luckily for the developers, Ibrahim maintains that he has no malicious plans for the data he accessed.

In a TechCrunch comment, Ibrahim wrote:

Hi there,
My name is ibrahim Balic, I am a security researcher. You can also search my name from Facebook’s Whitehat List. I do private consulting for particular firms. Recently I have started doing research on Apple inc.

In total I have found 13 bugs and have reported through http://bugreport.apple.com. The bugs are all reported one by one and Apple was informed. I gave details to Apple as much as I can and I’ve also added screenshots.

One of those bugs have provided me access to users details etc. I immediately reported this to Apple. I have taken 73 users details (all apple inc workers only) and prove them as an example.

4 hours later from my final report Apple developer portal gas closed down and you know it still is. I have emailed and asked if I am putting them in any difficulty so that I can give a break to my research. I have not gotten any respond to this… I have been waiting since then for them to contact me, and today I’m reading news saying that they have been attacked and hacked. In some of the media news I watch/read that whether legal authorities were involved in its investigation of the hack. I’m not feeling very happy with what I read and a bit irritated, as I did not done this research to harm or damage. I didn’t attempt to publish or have not shared this situation with anybody else. My aim was to report bugs and collect the datas for the porpoise of seeing how deep I can go within this scope. I have over 100.000+ users details and Apple is informed about this. I didn’t attempt to get the datas first and report then, instead I have reported first.

I do not want my name to be in blacklist, please search on this situation. I’m keeping all the evidences, emails and images also I have the records of bugs that I made through Apple bug-report.

His story matches up with the timeline of events, although his explanation of “porpoise [sic] of seeing how deep I can go within this scope” for downloading the data of over 100,000 Apple Developer accounts pushes him beyond the bounds of plausible deniability. The Member Center, where registered Apple developers can download Software Development Kits and beta version of Mac OSX and iOS, was still down at the time of writing, and currently redirects to the errror message displayed below.

Security researcher claims responsibility for Apple breach

Apple have issued no timeframe for when the developer center will be back up. The downtime has impacted on the iOS beta release schedule, with the fourth beta of Apple’s radically redesigned mobile operating system due to have been released earlier today – no sign of that so far. New provisioning profiles for devices can also not be created, and new apps cannot be submitted to the Mac App Store and iOS App Store, leading many developers to hope that the Developer Center comes back sooner rather than later.

Source: TechCrunch comment