We now supposedly know who is responsible for the Apple Developer Portal being down for the past four days. Security researcher Ibrahim Baliç has revealed himself as the source behind what Apple is calling an “intrusion” into their systems.
Baliç discovered a vulnerability, among 12 other security issues, that allowed him to access details on over 100,000 Apple developer accounts including their email addresses and names. To see the hack in action, check out his YouTube video.
Why 100,000 Records?
I’m not a security researcher, but my guess is that he accessed that many records to see how deep he could go when reporting the vulnerability. The more data you can access, the bigger an issue it is.
Could he have stopped at 100 records and reported the issue? Probably, but we don’t know if Apple would have been so quick to react to it.
Why the Video?
If you look at Apple’s statement they put out on Sunday it reads as if they are the victim of a malicious hacker that broke into their systems and stole information. Here’s the actual wording:
Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.
In reality (assuming that Baliç is indeed the source for this downtime), a security researcher with a proven track record of being a white hat hacker discovered the vulnerability and reported it to Apple through their official channels: RadarWeb.
But That Video Shows Personal Information!
Indeed, his biggest crime is posting the personal information of five people in a YouTube video to prove the vulnerability. The irony of a security researcher being so personally insecure about how he is labeled that he goes to YouTube isn’t lost on me.
And there are likely better ways he could have proven the hack to the media such as with technical details, but the video is 2 minutes of absolute proof that the issue is there and far easier to understand than technical jargon.
Baliç’s biggest crime is having an ego and not wanting his work misrepresented. I don’t approve of the way he went about it, but I’m not going to vilify him over showing five or so email addresses when the good he’s done in helping Apple secure their stuff far outweighs the bad.
It will be unfortunate if the only thing people focus on is this video rather than the fact that Apple had a serious vulnerability in their system that left all of our personal information at risk.
How Do Other Companies Handle This?
A lot of tech companies have dedicated pages where they highlight the channels for responsibly reporting security issues. They also give public acknowledgement to the folks who have reported the biggest vulnerabilities. Here are just a few:
Baliç is listed on Facebook’s list of white hat reporters so I’m willing to give him the benefit of the doubt as doing this work for good rather than nefarious purposes.
I’m not a security researcher, but I’ve watched Hackers enough to know that one of the big reasons for exploring these sorts of cracks in systems like Apple’s is for the recognition amongst your peers and other companies. To a white hat hacker, being listed on Google or Twitter’s list of people who have reported major vulnerabilities is not only validation for your work, but also likely money in your pocket as others will hire you to break into their systems.
Apple is a culture built around secrecy so I highly doubt they’d set up a public page that championed folks like this, but they have long listed reporters in their Security Update knowledge base articles.
Someone Must Take The Blame!
The vulnerability isn’t Baliç’s. It’s Apple’s. He just discovered it and Apple deemed it severe enough that their response was to take down their entire developer program until they can close the hole.
I am not fine, however, with them trying to paint themselves the victim of malicious intent when in reality it looks as though someone properly reported a vulnerability in their code to them.
No one comes out of this looking clean, but it could have been a lot worse if a more dark hacker discovered the vulnerability before Baliç.