Apple shuttered its developer portal last week, after an intruder compromised its system and may have accessed developers’ names, addresses and email addresses, the company stated in a notice published on July 21 on its site.
On the same day, a software developer claimed credit for the breach in the comments section on TechCrunch, posting a video which reportedly showed access to sensitive developer information. The developer and part-time security researcher named Ibrahim Balic claimed that he had found 13 vulnerabilities in Apple’s site and had reported the issues last week to Apple, resulting in the site being taken down.
The video has since been removed from YouTube and Balic has sent messages to Apple via Twitter and email. The company finally reached out to him on July 23, he said in an email interview with eWEEK.
Balic wrote “I did not do anything bad towards apple company and to their prestige,” in his July 23 email. “I did not wanted (sic) this situation to come up here. They have contacted me earlier this morning with an email. Also asked me to get intouch with phone call.”
Balic first reported the issues on July 16, and issued his final report to Apple on July 19, the software developer said. He was able to access more than 100,000 user account details, actually accessing 73 records—all of Apple employees—to demonstrate the vulnerability, he said.
Within hours of his final report, Apple pulled down the site, he claimed.
On Sunday, July 21, Apple posted a notice to its site, characterizing the breach as an attack. “Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer Website,” the company stated. Apple did not respond to requests for comment.
The company apologized for the downtime, but stated it would rebuild the developer portal with a greater focus on security.
“We’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database,” the company stated in the notice. “We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer Website up again soon.”
The brute forcing of the password file is a typical danger of such breaches, especially if the victims reused their passwords on other accounts. Yet, while Apple did not specifically mention passwords in its notice, the company stated that sensitive information from the accounts was encrypted and could not be accessed.
Another danger of such breaches is that the information will be used to send phishing email messages, said Chris Hinkley, senior security architect of secure cloud-hosting provider FireHost.
“That’s the biggest risk—phishing of developers,” he told eWEEK. “If the wrong people got a hold of the information, they could use it to craft targeted attacks.”
For those reasons, Balic may find himself in legal jeopardy. The unauthorized testing and hacking of Websites, even if done for the best intentions, is illegal. In 2005, security consultant Eric McCarty exploited flaws in the online application service of the University of Southern California, publicizing the issues. Federal prosecutors pursued a case against the consultant and the next year, McCarty pleaded guilty to a single felony count.