Researcher Takes Credit for Security Breach of Apple's Developer Center

kdarling · Jul 22, 2013

BaldiMac said:
That's not true. Reports are that he exploited the vulnerability and wrote a script to harvest the data.

Oh for goodness' sake. This is why people should not comment on topics outside of their experience.

When I'm testing a bug, especially a server one, I quite often write a script to figure out the parameter limits. I'm not alone in doing that.

In fact, most corporations use third party security audit tools that use scripts to, as you put it, "harvest data" in order to find vulnerabilities in their websites... something that Apple apparently did not do well enough.

You guys are shooting the messenger, instead of reading the message.

shandyman · Jul 22, 2013

kdarling said:
Oh for goodness' sake. This is why people should not comment on topics outside of their experience.

When I'm testing a bug, especially a server one, I quite often write a script to figure out the parameter limits. I'm not alone in doing that.

In fact, most corporations use third party security audit tools that use scripts to, as you put it, "harvest data" in order to find vulnerabilities in their websites... something that Apple apparently did not do well enough.

You guys are shooting the messenger, instead of reading the message.

The difference is you work for the company you test bugs for. He didn't.

Sent from my iPhone using Tapatalk 2

BaldiMac · Jul 22, 2013

kdarling said:
Oh for goodness' sake. This is why people should not comment on topics outside of their experience.

You know nothing about me.

When I'm testing a bug, especially a server one, I quite often write a script to figure out the parameter limits. I'm not alone in doing that.

In fact, most corporations use third party security audit tools that use scripts to, as you put it, "harvest data" in order to find vulnerabilities in their websites... something that Apple apparently did not do well enough.

Which is all well and good if you have authorized access to the server.

You guys are shooting the messenger, instead of reading the message.

Read the message. Upset with Apple for not finding the vulnerability first. Also upset with security researcher for exploiting the vulnerability rather than simply reporting it. A decision which resulted in problems for many people. Also, for publishing the user data publicly.

blitzer09x87 · Jul 22, 2013

i dont understand what was he researching for, seems fishy.

KevinMac · Jul 22, 2013

bhatu said:
i think samsung gonna hire him!

lol :d

kdarling · Jul 22, 2013

shandyman said:
The difference is you work for the company you test bugs for. He didn't.

He's an Apple developer, which also makes him an Apple customer.

It was his data that's at risk as well.

As noted, he (and others) have notified Apple many times of various bugs in their system. This is normal.

BaldiMac said:
You know nothing about me.

True. Except for the Tar Heel emblem, which is why I love ya

(UNC-CH alumnus here)

Which is all well and good if you have authorized access to the server.

As an Apple developer, he did have access. That's the point. Any registered developer could use the vulnerability, and there's no doubt some that are not as well intentioned as he was.

Read the message. Upset with Apple for not finding the vulnerability first. Also upset with security researcher for exploiting the vulnerability rather than simply reporting it. A decision which resulted in problems for many people. Also, for publishing the user data publicly.

He did report the vulnerability instead of exploiting it.

Just as he had reported other vulnerabilities.

He had no idea that Apple would shut down the site. That was their own doing, and they did that days before he popped up in public.

Heck, we still don't know if his bug report had anything to do with the shutdown. Apple's sure not talking.

MegamanX · Jul 22, 2013

ratfink said:
To everyone proclaiming this guy an evil hacker, keep in mind that many large companies now run bug bounty programs where they pay you if you find holes in their products. These companies include: Facebook, Google, Microsoft, Paypal, and possibly even Apple. Although Apple does not appear to offer monetary rewards, they do give public credit for issues found in their websites.

I've always questioned the wisdom of companies allowing testing on their production sites, especially when no registration and pre-approval is required. But this isn't exactly the black & white issue some of you are making it out to be.

well my argument for it would be that it will be done no matter what. Only difference with the bug bounty you will be getting a lot more people who are not in it for the less ethical reasons and will never tell them what the holes are or what they stole. With the bounty you have a greater chance of the holes being found, reported and plugged before a lot of data is stolen.

Chances are employees do not get to share in that bounty.

----------

shandyman said:
The difference is you work for the company you test bugs for. He didn't.

Sent from my iPhone using Tapatalk 2

You know a lot of companies will also do test like this on third parties they are considering if their data is very import to keep secure. They will do the test before they even bother vetting them any farther. Or they will do it on an on going bases for 3rd party they use for the same reasons.

thehatisonfire · Jul 22, 2013

I just got my third mail in the past 24 hours asking me to reset my password

Wtf is up with that?

RobertMartens · Jul 22, 2013

mdelvecchio said:
how do you figure that? apple said in their post that the stuff is encrypted...thats the opposite of letting it sit out in the open free for the plundering.

Some people felt that names and addresses were also valuable and should have been better protected

----------

linuxcooldude said:
Don't see any indication he let Apple know ahead of time, just simply he let them know. No proof he was NOT a crook. Its just as likely he said that because he got caught.

I think my whole point centered around the fact that he WASN'T caught.
He has been openly trying to contact Apple and having failed that he went public on a tech site to try and protect himself from being mischaracterized

linuxcooldude · Jul 22, 2013

kdarling said:
As an Apple developer, he did have access. That's the point. Any registered developer could use the vulnerability, and there's no doubt some that are not as well intentioned as he was.

While he was an Apple developer, he accessed parts of the website where he was not authorized to go. Hence, why the website was taken down, unauthorized access. He took it too far.

He had no idea that Apple would shut down the site. That was their own doing, and they did that days before he popped up in public.

Whatever Apple decides to do was the direct result of his unauthorized access to parts of their website.

He did report the vulnerability instead of exploiting it

He exploited it by downloading users data. Whether or not he did it for proof.

gr8tfly · Jul 22, 2013

kdarling said:
He's an Apple developer, which also makes him an Apple customer.

...

As an Apple developer, he did have access. That's the point. Any registered developer could use the vulnerability, and there's no doubt some that are not as well intentioned as he was.
...

No, that's not a valid point. He would have only had access to his own account information and any other access or data Apple allowed through his agreement with Apple (made when creating his account).

He still was not authorized for access beyond the above.

Telling Apple about a potential exploit allowing unauthorized access is not the same as executing same. That's most likely the first in multiple potential charges against him. Beyond that, actually obtaining data he was not authorized to access would be the next charge. Perhaps making that data public a third.

Good intentions or not, unauthorized access to a computer system is a crime! I can't fathom how so many haven't the common sense to know not to touch other people's things! And, it's only for the initial actions that I can allow the possibility of "good intentions" (though still no excuse). Proclaiming what he did, then publicly displaying data he was not authorized for, is either extremely naive or just stupid (maybe a combination of the two).

the8thark · Jul 22, 2013

Simplicated said:
I think you should add quotation marks around the Researcher in the title. Or replace it with Idiot.

He claims that he has not spread the information to somewhere else. Is he necessarily speaking the truth? Also, is he not a hacker because he "alerted" Apple by intruding the system using a bug he found?

Now he's trying to rationalize his wrongdoing by providing evidence. He may be doing that because he doesn't want to be arrested. Exactly 10 people will sympathize with him.

Getting security vulnerabilities (and other such things) fixed are important. And sometimes you need to go public for the big companies to take action on this.

What Snowden did was not a security related but it is another example of the need for certain things to go public. That's the only way certain issues will ever be fixed. This guy researcher or not did a good deed. People should say thank you, and not try to criminalise his actions.

Few people these day are grateful for work done like this.

gr8tfly · Jul 22, 2013

the8thark said:
Getting security vulnerabilities (and other such things) fixed are important. And sometimes you need to go public for the big companies to take action on this.

What Snowden did was not a security related but it is another example of the need for certain things to go public. That's the only way certain issues will ever be fixed. This guy researcher or not did a good deed. People should say thank you, and not try to criminalise his actions.

Few people these day are grateful for work done like this.

The two cases are only vaguely related. The only thing in common is access to unauthorized data (or abuse of access). Snowden's case has unavoidable political aspects. There is nothing of the like in what this "researcher" did (I have no qualms about using quotes). He would have perhaps deserved thanks if he had handled his "discovery" differently. What he did was at a minimum unprofessional.

IGregory · Jul 22, 2013

the8thark said:
Getting security vulnerabilities (and other such things) fixed are important. And sometimes you need to go public for the big companies to take action on this.

Well, if that's the way you feel. But make certain you can do the time.

Zellio · Jul 22, 2013

thehatisonfire said:
I just got my third mail in the past 24 hours asking me to reset my password Wtf is up with that?

I still don't have a single email asking to update my password. But then I also only got the 'we got hacked' email 39 minutes ago...

DavidLeblond · Jul 22, 2013

I'm curious. If I were to get the dmg of the iOS beta from a developer friend of mine (I'm a paid developer as well, so put down your pitchforks!) could I install it or would it need the site to activate it?

cav23j · Jul 22, 2013

Im not even part of the developer program and I just got sent the developer email by Apple just like an hour ago, wtf are they doing

Naiche · Jul 22, 2013

DavidLeblond said:
I'm curious. If I were to get the dmg of the iOS beta from a developer friend of mine (I'm a paid developer as well, so put down your pitchforks!) could I install it or would it need the site to activate it?

It would depend, I'd think; on whether or not the devices you're loading it onto are listed under your developer devices.

BvizioN · Jul 22, 2013

Gnomepatrol said:
Apple if they sue him, is going to set a very dangerous precedent (for itself and possibly others) as no one in their right mind would let them know about a security vulnerability in the future.

Or... if Apple doesn't sue him, you are gonna have all the hackers (or hackers wannna be) trying to do the same as this guy did. I personaly hope Apple does not sue him. Even though what he did was stupid IMO.

szw-mapple fan · Jul 22, 2013

recklesslife85 said:
Couldnt he have done this after Beta 4 release - DAMN HIM!

And what would have happened? You would be screaming

"Couldnt he have done this after Beta 5 release - DAMN HIM!

"

Parystec · Jul 23, 2013

Site still down

OK you have all had your fun ...... Can we have the developer site back up now please.

And stop playing with that new Mac Pro

DavidLeblond · Jul 23, 2013

Naiche said:
It would depend, I'd think; on whether or not the devices you're loading it onto are listed under your developer devices.

They are, of course. But are the developer activation servers among those being overhauled? Are there even developer activation servers? I don't even remember.

Better safe than sorry, I guess.

linuxcooldude · Jul 23, 2013

Now it seems the researcher claims he gained access by using a new software recently put out by Apple which is the iAd Workbench.

He started testing/submitting bugs to Apple on July 16, then on July 18 Balic reported the bug same day users first started reporting downtime for Apples Dev Center.

Seems he did not give Apple anytime to reply/research the problem to begin with. That is if any of this is true.

Masquerade · Jul 23, 2013

Rogifan said:
How do we know this guys intensions were good? Even if they were do the ends justify the means?

you don't discover a backdoor in a bank and go tell everyone.

jovada · Jul 23, 2013

millarj said:
Is the guy "testing" my front door with a crowbar also a security researcher?

Don't compare "a house" with something like Apple's developer portal. There aren't millions of personal data files stored in your house. Bad comparison...

Researcher Takes Credit for Security Breach of Apple's Developer Center

macrumors P6

Suspended

macrumors G3

macrumors 6502

macrumors regular

macrumors P6

macrumors regular

macrumors newbie

macrumors 65816

macrumors 68020

macrumors 603

macrumors 601

macrumors 603

macrumors 6502a

macrumors 65816

macrumors 68020

macrumors regular

macrumors newbie

macrumors 603

macrumors 68040

macrumors member

macrumors 68020

macrumors 68020

macrumors 6502a

macrumors regular