Sophos Cloud Optix
The Apple Dev Centre data breach has taken an intriguing turn, with a self-styled security reasearcher calling himself ibrahim BALİÇ (Ibrahim Balic) taking the credit.
Or, perhaps more onerously for Mr Balic, shouldering the blame.
Balic outed himself in a comment posted against an article about the breach published on Tech Crunch.
The key claims are:
In total I have found 13 bugs and have reported through http://bugreport.apple.com. The bugs are all reported one by one and Apple was informed. I gave details to Apple as much as I can and I've also added screenshots.
One of those bugs have provided me access to users details etc. I immediately reported this to Apple. I have taken 73 users details (all apple inc workers only) and prove them as an example.
4 hours later from my final report Apple developer portal gas closed down and you know it still is.
Given that his original grab of 73 user records came four hours before the Dev Center went down, it seems reasonable to assume that this was last Thursday – less than a week ago.
And even the most aggressive “responsible disclosure” rules, those proposed recently by Google, suggest that seven days is a minimum time to wait before getting pushy about things.
But Balic apparently didn’t have that much patience.
He could simply have revealed that he had reported a way to breach Dev Center security just before the site went down, since people were pondering that very question, but he went one step further.
Over the weekend, he claims he went ahead and recovered 100,000 or more items of private data; then he made a video that said so:
He went one step further in that video, clearly revealing a number of those purloined records:
That led to a curious exchange of comments:
Fellow Tech Crunch reader Nikita Likhachev asked “Why did you obtain users’ details in the first place? Why didn’t you just stop at the moment of reporting bugs?”
Unsurprisingly, when Balic responded that he “did not obtain user details,” Likhachev replied, “On July, 21 you wrote: ‘I have over 100,000+ users details’. Correct me if I’m wrong.”
Indeed.
It will be interesting to see what comes out of this.
As another Tech Cruncher called ObscureBug asks rather pointedly:
It would have been safer and more prudent to either give them a way exercise the vulnerability without you taking any data. The instant argument will be that you don't need the personal details of 73 people to demonstrate a hole - perhaps one at most would be a good enough example. People have tried your arguments before and ended up in jail. To make it worse, what on earth possessed you to create a video of it for public consumption?
I presume that’s a rhetorical question, but let’s take it literally.
What do you think?
Is the real blame Apple’s for having the hole in the first place?
Is it a storm in a teacup to fret over the comparatively few records Balic publicly revealed, apparently knowing he wasn’t supposed to have them, and to blazes with the privacy of the users whose names he published?
Or has Balic crossed the line of fair play?
There is no justification whatsoever for Mr. Balic's publicly revealing private information he does not own. This nonsense of interfering with the rights of individuals in the name of "a greater good" is the same witchcraft by which great harm is always passed off as being justifiable.
Apple's unresponsiveness is legendary. It's the way they are. Attacking them, stealing information of Apple users or employees…none of that is going to change Apple's behavior. If anything, it will make them even more tightly closed.
Of course Apple is to "blame" for having the hole in the first place, in the sense that they're responsible for the security of their sites. The same is true of any company who, despite their best efforts, have holes in their security. But that doesn't mean they deliberately allow those holes to exist.
As you pointed out in another NakedSecurity article on this same subject, "…no serious company intends to get hacked, and all of those who have been pwned lately would likely have, entirely honestly, have said 'right'."…in answer to the question, "You keep your customers' information well protected, right?"
Mr. Balic has crossed the line by revealing information he has stolen, and does not own.
He has found a chocolate box and when a kid does that, he eats more than once. Yes he crossed the line but I think its just because of his excitement to be the one who could hack the apple's one of web service for the first time.
And yes, the real blame is; Apple!
Pathetic English by Mr. Balic
Maybe you can try to explain everything in Turkish ha.
That is just his second language? Do you have a second language that will let you write as much as he did?
When you are a developer for a company, one of the last things they would expect is to have that person looking for ways into the site. So maybe their security concerns were lowered as it's not a public site and I assume you have to be logged in to get the information he has usurped.
When you work for a bank you don't walk off with money to show them their error, and you don't distribute personal information to get them to acknowledge your efforts. As was mentioned Apple is slow to respond.
As far as his English, why don't you write him in Russian or whatever his natural language and explain it to him? English is a difficult language and I'm glad he tries, whatever his faults.
IMHO yes, he went too far.
Jack
Saying it is not a public site is like saying facebook is not a public site – both of them require an account to use, and you can easily get a free account for both of them (I've had an Apple Dev account for many years and have never paid them a cent).
I do agree that he went too far though.
Judging by his name, i'd say he's Turkish.
For every person who posts something like this on YouTube, there are surely hundreds you use such exploits for private gain.
The irony is he appears to be located in London. Which means that presumably if he were to be "punished" he wouldn't be all that hard to locate.
Run searches on YouTube for terms like "XSS" or for SQL injections – a whole lot of them are coming from places that don't exactly have extradition treaties with the United States.
Who cares if he went to far – we know what he did.
Maybe there was no data breach and this was a backdoor for the continued usage of the Prism program provided by the company. And, Balic the researcher wasn't supposed to find it.
Latest update about apple, I wouldn’t want do this but i ve been forced as there is no solution to it. follow me 😉
tomorrow at 12am;;;;;
======================================================================================
Thanks for your reply and listing my name on your White-hat list. However but there is a problem occurring on my side, I get responses as lamer or hacker. I am unsatisfied about this. I can prove this step by step (Exploit + User Datas + Stored-XSS/Screen Shots + Report Dates andReport Details) to all people such editors and journalists to expose my innocence.
I have tried all my best, but all good things seems going bad, this is not a hard thing for you to publish what my intention was. I believe this should not be very hard for you.
I have reported 15 different bugs, at the end I’ve been credited only for one bug. I would like to know why? Please let me know by tomorrow at 12am, otherwise I will have to solve it all by myself.
Intentionally my steps was all good and I hope you will understand me.
Thanks,,,,Ibrahim BALIC
===================