'Attack' on Apple Developer Site May Be a Misunderstanding
A screenshot of part of the message posted by Apple on the Apple Developer Center website, blaming the site's offline status on an 'intruder.'
CREDIT: Apple Inc.
At first it looked like an intruder had wormed into the core of Apple's Developer Center, potentially making off with personal information from dozens, if not hundreds, of accounts.
But now it seems the intruder was actually an independent security researcher trying to help Apple find bugs. And meanwhile the OS and iOS developers caught in the middle still can't access their accounts.
The events began to unfold on July 18, when Apple took down its developer website, claiming it needed to perform routine maintenance. But late last night (July 21), Apple revealed in an email to developers the true reason for the site's shutdown: An "intruder" had exploited a bug in Apple's security and busted into the Developer Center, which serves as a hub for developers who make apps for OS and iOS devices.
Apple said that credit-card information and other "sensitive personal information" is encrypted on the site and "cannot be accessed" by intruders. However, Apple admitted that it's possible the intruder was able to collect developers' names, emails and mailing addresses.
As of midday on July 22, the Developer Center was still offline. "We're completely overhauling our developer systems, updating our server software and rebuilding our entire database," Apple said in a statement.
But wait — there's more. Soon after Apple admitted its security had been compromised, London-based security researcher Ibrahim Balic came forward, claiming to be the "intruder" mentioned in Apple's statement. In the comments section of a TechCrunch article on the Apple security breach, Balic said he was "doing research" on Apple, not "intruding." In fact, he found 13 security flaws and reported them to Apple via the proper channel.
Apple has yet to comment on Balic's statements and has not changed its statement that an "intruder" breached the Developer Center security.
It's not uncommon for security researchers, particularly young up-and-comers, to conduct research on their own initiative. However, Balic made a few protocol errors that may have led Apple to treat his investigation as a full-scale cyberattack.
On TechCrunch, Balic claimed to have information on more than 100,000 developer accounts. But later, he backtracked, saying he didn't have any user details. Obtaining account information in the course of a security investigation as proof of concept is fairly standard practice. However, because Balic wasn't working for Apple at the time, it's possible the company could choose to take legal action.
Balic also posted a link to a self-made YouTube video documenting his research on the Apple Developer Center security. However, in the video, Balic failed to blur out the names and emails associated with dozens of Apple Developer accounts, which is considered extremely poor form in the security research community.
"Balic may not have been motivated by malice if he did, as appears to be the case, exploit a security hole in Apple's Developer Center," security research expert Graham Cluley wrote on his blog. "But he clearly was operating without Apple's permission."
If Balic's intentions truly were benign, then Apple committed a few protocol missteps of its own. Usually, when researchers approach companies about detected flaws, the companies will fix the flaws and then publicly thank the researcher, not call him or her an anonymous "intruder."
At this point, all that's really known is that there were security flaws in Apple's Developer Center, and someone exploited them to gain user information.
On a possibly unrelated note, there was a spike in Apple ID password-reset requests over the weekend. This could be a sign of a massive break-in attempt, wherein cybercriminals try to compromise as many user accounts as possible in order to gain access to personal information.
It's not clear if all the password reset requests came from Apple developer accounts or just regular accounts.