The Apple Dev Centre data breach has taken an intriguing turn, with a self-styled security reasearcher calling himself ibrahim BALİÇ (Ibrahim Balic) taking the credit.
Or, perhaps more onerously for Mr Balic, shouldering the blame.
Balic outed himself in a comment posted against an article about the breach published on Tech Crunch.
The key claims are:
In total I have found 13 bugs and have reported through http://bugreport.apple.com. The bugs are all reported one by one and Apple was informed. I gave details to Apple as much as I can and I've also added screenshots.
One of those bugs have provided me access to users details etc. I immediately reported this to Apple. I have taken 73 users details (all apple inc workers only) and prove them as an example.
4 hours later from my final report Apple developer portal gas closed down and you know it still is.
Given that his original grab of 73 user records came four hours before the Dev Center went down, it seems reasonable to assume that this was last Thursday – less than a week ago.
And even the most aggressive “responsible disclosure” rules, those proposed recently by Google, suggest that seven days is a minimum time to wait before getting pushy about things.
But Balic apparently didn’t have that much patience.
He could simply have revealed that he had reported a way to breach Dev Center security just before the site went down, since people were pondering that very question, but he went one step further.
Over the weekend, he claims he went ahead and recovered 100,000 or more items of private data; then he made a video that said so:
He went one step further in that video, clearly revealing a number of those purloined records:
That led to a curious exchange of comments:
Fellow Tech Crunch reader Nikita Likhachev asked “Why did you obtain users’ details in the first place? Why didn’t you just stop at the moment of reporting bugs?”
Unsurprisingly, when Balic responded that he “did not obtain user details,” Likhachev replied, “On July, 21 you wrote: ‘I have over 100,000+ users details’. Correct me if I’m wrong.”
It will be interesting to see what comes out of this.
As another Tech Cruncher called ObscureBug asks rather pointedly:
It would have been safer and more prudent to either give them a way exercise the vulnerability without you taking any data. The instant argument will be that you don't need the personal details of 73 people to demonstrate a hole - perhaps one at most would be a good enough example. People have tried your arguments before and ended up in jail. To make it worse, what on earth possessed you to create a video of it for public consumption?
I presume that’s a rhetorical question, but let’s take it literally.
What do you think?
Is the real blame Apple’s for having the hole in the first place?
Is it a storm in a teacup to fret over the comparatively few records Balic publicly revealed, apparently knowing he wasn’t supposed to have them, and to blazes with the privacy of the users whose names he published?
Or has Balic crossed the line of fair play?