Last Thursday, Apple’s online Developer Center went down for maintenance. While the regular outage typically lasts a few hours, it wasn’t until Sunday night that Apple acknowledged the issue. In a message to its developer community and the press, Apple explained that an “intruder” had breached the Dev Center’s database. Apple claimed that no personal data was stolen from its users, but the threat was great enough to warrant a complete rebuilding of the site’s backend.
A Turkish security researcher by the name of Ibrahim Balic has come forward as the person responsible for the hack, although he claims no foul play and has submitted his bugs to Apple. More information has been revealed regarding how Balic got past Apple’s security.
TechCrunch spoke with Balic about what he did to gain access to thousands of Apple IDs. The 25-year-old hacker is a security researcher who has gone bug hunting for other companies like Facebook. He only recently turned his attention to Apple for unknown reasons.
He has reported 13 bugs to Apple since only July 16th, and the last one he filed was on July 18th—the same day Apple took the Dev Center down. What’s surprising is that the threat mainly surrounded iAd, Apple’s advertising platform.
That little security issue is centered around Apple’s iAd Workbench, a recently launched tool that lets users craft and target iAd campaigns to better build hype around their iOS apps. Balic discovered that if you manipulated a request sent to the server that runs Workbench, it would allow you to try to add a new user to the account. From there you could try throwing in first names, last names — whatever really — and the server would then respond with a full name and email address. Once Balic understood the full scope of the problem, he (and this is where his rationale loses me a bit) wrote a Python script to scrape all the data he could find and showed some of it on YouTube.
The YouTube video Balic posted has since been made private. He said he took 73 Apple employees’ user details as proof that his process worked. Until Apple fixes the vulnerability, Balic claims he has access to 100,000+ user credentials.
Balic told TechCrunch that he also found a vulnerability in the Dev Center itself, but he claims that he never tried it out. Apple obviously thought his findings warranted serious action, and the Dev Center is currently experiencing an unprecedented outage.
The good news is that it doesn’t look like Balic has malicious intent, although his motives are still difficult to understand. No financial information appears to be compromised as well.
We’ve reached out to Balic for clarification on what exactly he was able to uncover, and if Apple has contacted him personally.