Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Researcher Takes Credit for Security Breach of Apple's Developer Center

BaldiMac said:
That's not true. Reports are that he exploited the vulnerability and wrote a script to harvest the data.
Click to expand...

Oh for goodness' sake. This is why people should not comment on topics outside of their experience.

When I'm testing a bug, especially a server one, I quite often write a script to figure out the parameter limits. I'm not alone in doing that.

In fact, most corporations use third party security audit tools that use scripts to, as you put it, "harvest data" in order to find vulnerabilities in their websites... something that Apple apparently did not do well enough.

You guys are shooting the messenger, instead of reading the message.
 
kdarling said:
Oh for goodness' sake. This is why people should not comment on topics outside of their experience.

When I'm testing a bug, especially a server one, I quite often write a script to figure out the parameter limits. I'm not alone in doing that.

In fact, most corporations use third party security audit tools that use scripts to, as you put it, "harvest data" in order to find vulnerabilities in their websites... something that Apple apparently did not do well enough.

You guys are shooting the messenger, instead of reading the message.
Click to expand...

The difference is you work for the company you test bugs for. He didn't.


Sent from my iPhone using Tapatalk 2
 
kdarling said:
Oh for goodness' sake. This is why people should not comment on topics outside of their experience.
Click to expand...

You know nothing about me.

When I'm testing a bug, especially a server one, I quite often write a script to figure out the parameter limits. I'm not alone in doing that.

In fact, most corporations use third party security audit tools that use scripts to, as you put it, "harvest data" in order to find vulnerabilities in their websites... something that Apple apparently did not do well enough.
Click to expand...

Which is all well and good if you have authorized access to the server.

You guys are shooting the messenger, instead of reading the message.
Click to expand...

Read the message. Upset with Apple for not finding the vulnerability first. Also upset with security researcher for exploiting the vulnerability rather than simply reporting it. A decision which resulted in problems for many people. Also, for publishing the user data publicly.
 
shandyman said:
The difference is you work for the company you test bugs for. He didn't.
Click to expand...

He's an Apple developer, which also makes him an Apple customer.

It was his data that's at risk as well.

As noted, he (and others) have notified Apple many times of various bugs in their system. This is normal.

BaldiMac said:
You know nothing about me.
Click to expand...

True. Except for the Tar Heel emblem, which is why I love ya :) (UNC-CH alumnus here)

Which is all well and good if you have authorized access to the server.
Click to expand...

As an Apple developer, he did have access. That's the point. Any registered developer could use the vulnerability, and there's no doubt some that are not as well intentioned as he was.

Read the message. Upset with Apple for not finding the vulnerability first. Also upset with security researcher for exploiting the vulnerability rather than simply reporting it. A decision which resulted in problems for many people. Also, for publishing the user data publicly.
Click to expand...

He did report the vulnerability instead of exploiting it.

Just as he had reported other vulnerabilities.

He had no idea that Apple would shut down the site. That was their own doing, and they did that days before he popped up in public.

Heck, we still don't know if his bug report had anything to do with the shutdown. Apple's sure not talking.
 
ratfink said:
To everyone proclaiming this guy an evil hacker, keep in mind that many large companies now run bug bounty programs where they pay you if you find holes in their products. These companies include: Facebook, Google, Microsoft, Paypal, and possibly even Apple. Although Apple does not appear to offer monetary rewards, they do give public credit for issues found in their websites.

I've always questioned the wisdom of companies allowing testing on their production sites, especially when no registration and pre-approval is required. But this isn't exactly the black & white issue some of you are making it out to be.
Click to expand...


well my argument for it would be that it will be done no matter what. Only difference with the bug bounty you will be getting a lot more people who are not in it for the less ethical reasons and will never tell them what the holes are or what they stole. With the bounty you have a greater chance of the holes being found, reported and plugged before a lot of data is stolen.

Chances are employees do not get to share in that bounty.

----------
shandyman said:
The difference is you work for the company you test bugs for. He didn't.


Sent from my iPhone using Tapatalk 2
Click to expand...

You know a lot of companies will also do test like this on third parties they are considering if their data is very import to keep secure. They will do the test before they even bother vetting them any farther. Or they will do it on an on going bases for 3rd party they use for the same reasons.
 
mdelvecchio said:
how do you figure that? apple said in their post that the stuff is encrypted...thats the opposite of letting it sit out in the open free for the plundering.
Click to expand...

Some people felt that names and addresses were also valuable and should have been better protected

----------
linuxcooldude said:
Don't see any indication he let Apple know ahead of time, just simply he let them know. No proof he was NOT a crook. Its just as likely he said that because he got caught.
Click to expand...

I think my whole point centered around the fact that he WASN'T caught.
He has been openly trying to contact Apple and having failed that he went public on a tech site to try and protect himself from being mischaracterized
 
kdarling said:
As an Apple developer, he did have access. That's the point. Any registered developer could use the vulnerability, and there's no doubt some that are not as well intentioned as he was.
Click to expand...

While he was an Apple developer, he accessed parts of the website where he was not authorized to go. Hence, why the website was taken down, unauthorized access. He took it too far.

He had no idea that Apple would shut down the site. That was their own doing, and they did that days before he popped up in public.
Click to expand...

Whatever Apple decides to do was the direct result of his unauthorized access to parts of their website.

He did report the vulnerability instead of exploiting it
Click to expand...

He exploited it by downloading users data. Whether or not he did it for proof.
 
kdarling said:
He's an Apple developer, which also makes him an Apple customer.

...

As an Apple developer, he did have access. That's the point. Any registered developer could use the vulnerability, and there's no doubt some that are not as well intentioned as he was.
...
Click to expand...

No, that's not a valid point. He would have only had access to his own account information and any other access or data Apple allowed through his agreement with Apple (made when creating his account).

He still was not authorized for access beyond the above.

Telling Apple about a potential exploit allowing unauthorized access is not the same as executing same. That's most likely the first in multiple potential charges against him. Beyond that, actually obtaining data he was not authorized to access would be the next charge. Perhaps making that data public a third.

Good intentions or not, unauthorized access to a computer system is a crime! I can't fathom how so many haven't the common sense to know not to touch other people's things! And, it's only for the initial actions that I can allow the possibility of "good intentions" (though still no excuse). Proclaiming what he did, then publicly displaying data he was not authorized for, is either extremely naive or just stupid (maybe a combination of the two).
 
Simplicated said:
I think you should add quotation marks around the Researcher in the title. Or replace it with Idiot.

He claims that he has not spread the information to somewhere else. Is he necessarily speaking the truth? Also, is he not a hacker because he "alerted" Apple by intruding the system using a bug he found?

Now he's trying to rationalize his wrongdoing by providing evidence. He may be doing that because he doesn't want to be arrested. Exactly 10 people will sympathize with him.
Click to expand...
Getting security vulnerabilities (and other such things) fixed are important. And sometimes you need to go public for the big companies to take action on this.

What Snowden did was not a security related but it is another example of the need for certain things to go public. That's the only way certain issues will ever be fixed. This guy researcher or not did a good deed. People should say thank you, and not try to criminalise his actions.

Few people these day are grateful for work done like this.
 
the8thark said:
Getting security vulnerabilities (and other such things) fixed are important. And sometimes you need to go public for the big companies to take action on this.

What Snowden did was not a security related but it is another example of the need for certain things to go public. That's the only way certain issues will ever be fixed. This guy researcher or not did a good deed. People should say thank you, and not try to criminalise his actions.

Few people these day are grateful for work done like this.
Click to expand...

The two cases are only vaguely related. The only thing in common is access to unauthorized data (or abuse of access). Snowden's case has unavoidable political aspects. There is nothing of the like in what this "researcher" did (I have no qualms about using quotes). He would have perhaps deserved thanks if he had handled his "discovery" differently. What he did was at a minimum unprofessional.
 
the8thark said:
Getting security vulnerabilities (and other such things) fixed are important. And sometimes you need to go public for the big companies to take action on this.
Click to expand...

Well, if that's the way you feel. But make certain you can do the time.
 
thehatisonfire said:
I just got my third mail in the past 24 hours asking me to reset my password :mad: Wtf is up with that?
Click to expand...

I still don't have a single email asking to update my password. But then I also only got the 'we got hacked' email 39 minutes ago...
 
I'm curious. If I were to get the dmg of the iOS beta from a developer friend of mine (I'm a paid developer as well, so put down your pitchforks!) could I install it or would it need the site to activate it?
 
Im not even part of the developer program and I just got sent the developer email by Apple just like an hour ago, wtf are they doing
 
DavidLeblond said:
I'm curious. If I were to get the dmg of the iOS beta from a developer friend of mine (I'm a paid developer as well, so put down your pitchforks!) could I install it or would it need the site to activate it?
Click to expand...

It would depend, I'd think; on whether or not the devices you're loading it onto are listed under your developer devices.
 
Gnomepatrol said:
Apple if they sue him, is going to set a very dangerous precedent (for itself and possibly others) as no one in their right mind would let them know about a security vulnerability in the future.
Click to expand...

Or... if Apple doesn't sue him, you are gonna have all the hackers (or hackers wannna be) trying to do the same as this guy did. I personaly hope Apple does not sue him. Even though what he did was stupid IMO.
 
Site still down

OK you have all had your fun ...... Can we have the developer site back up now please.

And stop playing with that new Mac Pro :p
 
Naiche said:
It would depend, I'd think; on whether or not the devices you're loading it onto are listed under your developer devices.
Click to expand...

They are, of course. But are the developer activation servers among those being overhauled? Are there even developer activation servers? I don't even remember.

Better safe than sorry, I guess.
 
Now it seems the researcher claims he gained access by using a new software recently put out by Apple which is the iAd Workbench.

He started testing/submitting bugs to Apple on July 16, then on July 18 Balic reported the bug same day users first started reporting downtime for Apple’s Dev Center.

Seems he did not give Apple anytime to reply/research the problem to begin with. That is if any of this is true.
 
millarj said:
Is the guy "testing" my front door with a crowbar also a security researcher?
Click to expand...

Don't compare "a house" with something like Apple's developer portal. There aren't millions of personal data files stored in your house. Bad comparison...
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back