“Apple revealed Sunday that its Developer Center suffered a lengthy outage this week following a security breach that may have compromised data, but a security researcher has provided evidence to suggest the shutdown was in response to his identification of a vulnerability.” It’s no secret that Apple’s developer portals are a mix of outdated, crappy technologies, and it seems that this security researcher did good work by making that fact very, very clear for everyone. Would be nice of Apple to acknowledge his work, although as we all know, that’s about as unlikely as Pluto blocking the sun, no matter how Apple claims it wants to be “open” about this disaster in its public statement.
It seems someone called ibrahim Balic, describing himself as a security researcher, contacted Apple with information about 13 bugs he had found in their system. Unfortunately he had already actually used those bugs to hack into the system and retrieve some data about 73 Apple employee accounts and he claimed to have another 100,000 user details he had secured by exploiting the bugs. It is not clear why he did this, he says it was to get Apple’s attention but he had not contacted Apple about the bugs prior to the hack, he decided to hack first.
Apple’s response was too immediately take down the service and servers affected. ibrahim Balic says he is concerned about the impact on his reputation. His statement appears in the comments thread here and it appears to be genuine.
http://techcrunch.com/2013/07/21/apple-confirms-that-the-dev-center…
In a telephone conversation Apple confirmed to TechCrunch the following:
The hack only affected developer accounts; standard iTunes accounts were not compromised
Credit card data was not compromised
They waited three days to alert developers because they were trying to figure out exactly what data was exposed
There is no time table yet for when the Dev Center will return
Personally I would have thought that the sensible thing to do if you identify a security bug or vulnerability in the system of a company and you are a white hat sort of guy would be to notify the company and give them time to do something about before going public, if after a while they fail to respond then go public.
It seems to me that ibrahim Balic’s decision to actually hack the system before telling Apple was a very reckless sort of thing to do. It’s bound to concentrate Apple’s response on working out what has been compromised, all they know is that their system has apparently been hacked by someone they don’t know anything about and who has accessed an unknown amount of data. Given the time period is it likely that Apple, or any company in their position, would actually publicly thank a person who had just days before hacked into their system and stolen an unknown quantity of confidential information?
I also cannot see how it is going to do ibrahim Balic reputation any good.
If that’s actually true then Apple has no reason in the world to give him any credit. In fact, they should probably turn him in but he seems to have done that himself, more or less.
Because he’s an unethical dumbass?
Well, sure. Stealing data isn’t good for your reputation.
I think the problem is that people looking for bugs on other people’s systems don’t do it to find ‘n’ report them, but to see if they can actually be exploited.
It’s a bit like checking if doors are locked, which is okay, but what isn’t okay is to enter a home and walk around to “proof” the door was unlocked.
I think most us wouldn’t mind if some stranger told us we left our car unlocked, but we wouldn’t like it if he also told us he sat in our car for a while, taking pictures, checking the radio presets and making copies of documents found on the glove compartment.
You hit the nail on the head here tbh.
I have contacted site owners (some that had quite a bit of traffic) and told them about SQL injection vulnerabilities (that I pretty much stumbled upon after seeing a MySQL error message bubble up to the surface) and shown them a proof of concept. For the most part, the response was positive.
If it wasn’t, I made sure I kept the emails just in case I had to prove my intentions to law enforcement (I have been threatened once or twice after a heads up to a site owner).
Edited 2013-07-23 18:34 UTC
Some company gave me a login and begged for me to fix their email system.
I fixed their email system. Well, 3 times in fact because their own IT kept messing it up.
And then I got arrested for hacking.
But my iMac’s hard disk contained chat logs that included the help plea + login info so I was a free man the same day.
This story is my only reward.
Funny enough we bought that company last year.
Very similar to my experience. I had a visit from the police and I showed them the email trail and it was quite obvious I had done nothing malicious.
I don’t know from where you get this information, but he is claiming the contrary in this techcrunch comment :
http://techcrunch.com/2013/07/21/apple-confirms-that-the-dev-center…
Where he says :
His version is basically : “I reported bugs to Apple, they didn’t answer my mails so I got pissed off and collected data”.
Now, it is unclear how much time he gave Apple between the first report and his collection of user data in retaliation.
But it seems Apple f–ked up too. It’s not really smart to ignore the emails of someone reporting vulnerabilities on your website.
I think we should wait for further clarification before jumping to conclusion about the good Apple being hacked by a bad guy.
Edited 2013-07-22 12:46 UTC
Being “pissed off” isn’t justification to break the law, no matter what someone thinks of it.
It’s not easy for us on the outside to judge how Apple was dealing with it until he got pissed off. If Apple verified those bugs and assumed it wouldn’t go public or that guy may get annoyed it would seem a little naive considering past public cases.
I agree. I was just pointing out that it seems he did in fact report before exploiting (which is the right thing to do).
And I totally agree with you too.
I just wanted to add that to me it seems too many people have no regard for the law when they’re “pissed off” and this bloke seems to get pissed off rather quickly.
It’s people like Thom with this mentality that’s, in my view, rather dangerous. When these people don’t agree with something they turn in to a judge and executioner in an instant without the need for a phone booth to change clothes.
On this very site we’ve seen what happens if people don’t agree with a certain event. Their suggestions don’t mind breaking laws or rewriting/disregarding entire constitutions.
Reading his comment, and taking into account the ambiguity caused by the guy obviously not writing in his mother tongue, it seems very unclear what the time table is. If somebody finds a security loop hole in a big complex system and reports it how long is it acceptable before he goes public? A week? A month? Ever?
Is it ever justified to actually hack into a system and take confidential data even if it is intended as a way of bringing an issue to someone’s attention?
I don’t know the answers to those questions and the issues raised seem complex and not very clear cut. I think actually hacking a system and taking data in order to prove a point is probably mostly bad most of the time and expecting to be promptly publicly thanked by those whose system one had hacked is ridiculous.
I certainly think that sweeping statements like this are premature and simplistic.
[q] It’s no secret that Apple’s developer portals are a mix of outdated, crappy technologies, and it seems that this security researcher did good work by making that fact very, very clear for everyone. Would be nice of Apple to acknowledge his work, although as we all know, that’s about as unlikely as Pluto blocking the sun, no matter how Apple claims it wants to be “open” about this disaster in its public statement.
Sometimes organizations will leave known vulnerabilities in place even after they’ve been reported. So sometimes it takes the threat of going public -and even much worse- to actually get companies to take notice.
While I don’t agree with taking such data – sometimes it’s a lesser evil compared to that software going unpatched and open to genuine malicious intent. So while I don’t agree with what he did, I can forgive him for doing it.
The problem is that he never put any pressure on them. He just sat on his ass and maybe sent some emails to Apple. He never publicly disclosed the vulnerabilities after, say, a week of no action from Apple like he should have done.
To be honest, it smells not unlike that he tried to extort something from them. I mean, why else would he not publicly disclose what he knew once he thought Apple had taken too long? The only other explanation that makes sense is that he’s an incompetent dumbass.
He wouldn’t be the first security researcher to do so either. I’ve read a few times where people have gotten fed up with the lack of cooperation Apple give when vulnerabilities are reported.
Edited 2013-07-22 15:19 UTC
Doesn’t matter, still a dumbass and unethical move. Doesn’t matter if he waited days or weeks or whatever. There are proper ways of disclosing stuff without stealing data and if he don’t know or don’t care, well, that makes him either stupid or a bad guy.
We don’t know how long he waited and no matter how long it doesn’t give him right to steal data.
Good or not, there’s little doubt that the hacker’s a moron.
Edited 2013-07-22 16:35 UTC
Jesus H. F. Christ, listen to yourselves! Had it happened to Ballmersoft, Oracle, Sony or whatever the unquestioned “baddies” are, you’d be rooting for the guy, no excuses. But because poor little underdog Apple got pwned, excuses start spawning left and right, moral judgements like “it’s not ethical and legal to hack (Apple)” arise from te grave etc.
No.
May I be wrong, but on most case hackers want the “spotlights”, it is on their DNA culture.
They work hard to find breaches and to rise their reputation over their competencies.
My best bet is: he worked hard to find holes, found, told Apple about them, waited for reconnaissance, did not come, raised the attempt to get it, failed again and now is very likely to be on a troubled situation.
Arrogance, pride and vengeance paves the shortest path to hell.
Hope he, somehow, gets as less burned as possible.
Reports at Electronista say Apple shut down it’s system fours hours after getting the email from ibrahim Balic.
http://www.electronista.com/articles/13/07/22/says.he.reported.vuln…
It’s perfectly possible to publicly disclose vulnerabilities without stealing data or causing damage. Any security researcher worth is salt knows this. Either he didn’t know or he didn’t care which makes him either not good at it or a bad guy.
If stealing data is required to get a company to actually give a shit and properly protect the data their customers entrust them with, then so be it.
The world isn’t black and white.
A bit rich coming from you I think given your comments about this story which portrayed things in a fairly black and white sort of way
How long was it between this guy telling Apple about the problem and stealing the data?
Let’s put it this way, if someone sent you an email telling you about a vulnerability on this web site how long before it was acceptable for him to break into your site using that vulnerability to steal some confidential data? A day? A week? A month?
Have you considered the possibility of two wrongs not making a right?
Uh hu, but you know what? He never even TRIED to disclose this publicly in a responsible way so…f–k him. His actions are irresponsible and unprofessional and gives real security researchers a bad rep
No but this guy is in the wrong.
Edited 2013-07-23 03:35 UTC
But is it necessary to steal data about 1000000 users to proof that the vulnerability exists?
It is isn’t ethical. I find it quite disturbing that you think the opposite.
There are a multitude of way that he could have drawn attention to the problem to force their hand without resorting to actually hacking the system.
I’ve found vulnerabilities in systems (usually SQL-injection) and have politely told the site owner.
Edited 2013-07-23 12:45 UTC
Good work would have been to publicly publish his findings and methods in a timely manner using any of the MANY different venues available for such disclosure. Accidentally that would also have made it clear for EVERYONE that there were problems with the site.
Stealing data, keeping quiet about the vulnerabilities for God knows how long until Apple makes a move and then whine about how you’re not getting credit is NOT good work. It’s being an irresponsible asshole.
Edited 2013-07-23 05:12 UTC
I have to say I totally 100% agree with you. I am not a security researcher but I would have definitely pursued something more ethical.
The tone from the comments has generally been one of sledge-hammering ibrahim Balic with the exception of a few neutral ones.
Would the same tone have been observed in the comments if the company whose security was breached and disclosed in this manner had been Microsoft rather than Apple?
We all crave for notorioty and a long standing ovation. The public statement by ibrahim Balic that the shut-down of the Apple Developer Center was in response to his identification of a vulnerability is not out of the norm for humans.
There are number of uncertain details – notably if he had provided sufficient technical details about how he did it in his first disclosure to Apple and how long he waited between this first disclosure and his going in again and gathering data to demonstrate what he disclosed was in fact possible.
Many mentioned that he should have publicly disclosed the vulnerability. I presume “publicly” implies a posting on a high tech forum focused on vulnerabilities of operating systems. This would have been the worst thing if there was no obvious applicable patch. First, this would have likely have attracted attempts to repeat the exploit on Apple owned/run servers in exponentially increasing numbers as details of the hack spread on the web. Second, there would be the downstream risk of any server connected to the web and running the same code being searched for and attacked. Who knows what personal data might have been gathered in such manner?
There are a couple of interesting snipets in the quoted text from TechCrunch:
“The hack only affected developer accounts; standard iTunes accounts were not compromised”
Hum – are there priviledge/special iTunes account and were they compromised? Since I am not an Apple Developer nor iTunes user, I can only speculate.
“Credit card data was not compromised”
Hum – OK. Then, what type of user data was compromised?
“They waited three days to alert developers because they were trying to figure out exactly what data was exposed”
Hum – Interesting. More like trying to figure out how to patch it and how to rapidly spot similar breaches in the future. Also, and pure speculation, assessing if there had been breaches before the one disclosed by ibrahim Balic which were undetected and what data might have been extracted during these breaches.
“There is no time table yet for when the Dev Center will return”
Not need for translation for this one.
You are kidding right? Apple is hated here more than Microsoft ever was. Almost!
Yes. Stealing data is not the right approach.
No, that’s the long established norm. If a company is unresponsive about a vulnerability you disclose it publicly after some time to put pressure on them and make users aware of the issue. What you don’t ever do is steal massive amounts of data to prove your point.
You do know that it’s possible to disclose this kind of information without actually giving exact instructions on how to do it, right?
Apple choose their very own path of non communication, even banning security companies from their devices.
Balic being a newbie to the Apple arena learnt his lesson the hard way.
Best never tell Apple anything and leave their faulty systems well alone. Users are usually happy in a sweet smelling deadly swamp
So what if the security forces and villains have the exclusive access. As long as no one ever finds out, all is well. That is how it usually works, at least until Apple maybe accidentally and near permanently kill a server.