Yesterday, it was confirmed by Apple themselves that the cause of the Dev Center's continued downtime was due to a security breach. The situation was made known to developers through an email informing them that the system was indeed hacked and as a countermeasure, Apple took the system down and it will be subjected to an overhaul. So who's behind this security breach? A security researcher claimed that he's the one responsible for the attack.
An individual that goes by the name Ibrahim Balic has stepped up and actually admitted that he's the man behind the Dev Center hacking. He even goes as far as explaining how exactly he was able to slip through the cracks of Apple's security. Ibrahim Balic said that he doesn't have any malicious intent behind his actions.
Balic swears up and down that he’s not a malicious hacker. Rather, he claims to be just a security buff who stumbled upon a way to access gobs of Apple user data, tried to warn the company about it, and made a (now private) video highlighting the security flaw in question when Apple wouldn’t respond.
Balic has been doing private consultation for particular firms and claims to be on Facebook's Whitehat List. For unknown reasons, he started researching on Apple. He said he was able to submit 13 bugs to Apple since July 16th and continues to do so on July 18th, the day the dev center went down. So how was he able to breach Apple's security?
That little security issue is centered around Apple’s iAd Workbench, a recently launched tool that lets users craft and target iAd campaigns to better build hype around their iOS apps. Balic discovered that if you manipulated a request sent to the server that runs Workbench, it would allow you to try to add a new user to the account. From there you could try throwing in first names, last names — whatever really — and the server would then respond with a full name and email address. Once Balic understood the full scope of the problem, he (and this is where his rationale loses me a bit) wrote a Python script to scrape all the data he could find and showed some of it on YouTube.
Balic said he was able to gather over 100,000 user credentials. On top of that, he also found another vulnerability inside the Dev Center itself. While it looks like there is no malicious intent behind this attack, Balic's motives are still unknown. [via TechCrunch]Contact Us for News Tips, Corrections and Feedback