http://www.maclife.com/article/news/selfouted_security_researcher_may_be_blame_dev_center_outage
By Leif Johnson
Maclife.com
July 22, 2013
The Apple Developer Center has now been down since Thursday, making our
initial surprise on Friday that it'd been down for 30 hours seem almost
silly. And now the plot thickens further. After Apple finally announced
last night that a security breach was responsible for the delay, a
self-proclaimed "security researcher" named Ibrahim Balic came forward to
admit he may have been responsible.
The 25-year-old Balic initially explained his motivations in a TechCrunch
comment. "In total I have found 13 bugs and have reported through
http://bugreport.apple.com. The bugs are all reported one by one and Apple
was informed. I gave details to Apple as much as I can and I've also added
screenshots. One of those bugs have provided me access to users details
etc. I immediately reported this to Apple. I have taken 73 users details
(all apple inc workers only) and prove them as an example. 4 hours later
from my final report Apple developer portal gas closed down and you know
it still is."
Most of these bugs, surprisingly enough, dealt with iAd, Apple's
advertising platform, as TechCrunch learned after it followed up with
Balic for an interview. According to writer Chris Velazco, "That little
security issue is centered around Appleās iAd Workbench, a recently
launched tool that lets users craft and target iAd campaigns to better
build hype around their iOS apps. Balic discovered that if you manipulated
a request sent to the server that runs Workbench, it would allow you to
try to add a new user to the account. From there you could try throwing in
first names, last names -- whatever really -- and the server would then
respond with a full name and email address."
Balic claims he had good intentions in mind when he broke in, but the way
he handled the action may leave him in hot water. Rather than giving Apple
time to work out the problem after the report, he claimed he went one step
further and downloaded the private information for over 100,000 developers
through a Python script. That's a far cry from the actions of most "white
hat" hackers, who tend to avoid downloading any user data and certainly
not that for 100,000 users.
[...]
--
Find the best InfoSec talent without breaking your budget!
Post a Job! $99 for 31 days
http://www.hotinfosecjobs.com/
