Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Researcher Takes Credit for Security Breach of Apple's Developer Center
- Thread starter MacRumors
- Start date
- Sort by reaction score
Actually, its not moronic, its common sense. If a "researcher" truly wanted to assist a company in testing their security, he would do so through the proper avenue. Contact Apple first to see if they even want this supposed free "service," and do so under their supervision like any other employee would. You can't provide somebody a service without notifying them and getting permission first. I don't care if its the physical or digital world, the rules of common decency still apply.
You don't just break into someones safe and tell them afterwords "hey by the way, you need a new lock on your safe, I was able to break in and steal your stuff. No worries I didn't look at anything private, trust me. You can thank me later." That's just incredibly douchey. Why is it any different for digital safes?
He did not need to actually TAKE 100,000 user accounts. He should have stopped after discovery and after he sent his first "bugreport" to Apple. But he didn't. He proceeded to actually take user data. It doesn't matter his intent. Fact is, he stole user information. And THEN he goes and makes a Youtube video with some of this data.
Sorry, that argument doesn't hold up in court.
Last edited:
to show it could be taken
he wasn't after the stuff per se
it was just a demonstration to apple
and he only told apple about it
but they refused to talk to him and then labeled him a hacker instead of a researcher
if he was really just a hacker I don't think we would ever have even heard about it
You obviously have never worked for a large or semi large corporation and seen the absolute carelessness they go about with regards to security.
Businesses only care about security when it cost them money.
To prove the door was unlocked. He probably felt that if he made these claims without proof, Apple would just shrug it off. Unfortunately, the proof had to be the compromised data.
This is a problem we face, the "if it ain't broke, don't fix it" approach. We don't realize something is broke until something catastrophic happens, like data servers being hacked or bridges collapsing.
And while I applaud his idea, his execution was faulty.
So he pointed out the flaw on the 19 and stole the data on the 22. That shows the amount of time it takes apple to sort through all the security bug reports.
There was no reason to actually download the user data, just pointing out that he can steal the data was more than enough. The correct way to deal with it if he wanted action taken immediately would be to warn apple that he was going to go public with the issue if they didn't work on fixing it immediately and gave them a set amount of time to deal with the issue. He could have even gone public without a warning, but actually downloading the user data seems malicious, unless he can claim he didn't know what he was downloading until after he downloaded it.
Somebody else stated that downloading data is a normal white hat hacking standard. I am unfamiliar with that. My buddy does this for a living so I'll ask him, but I would assume, just showing you can get to the data is more than enough.
There was no reason to actually download the user data, just pointing out that he can steal the data was more than enough. The correct way to deal with it if he wanted action taken immediately would be to warn apple that he was going to go public with the issue if they didn't work on fixing it immediately and gave them a set amount of time to deal with the issue. He could have even gone public without a warning, but actually downloading the user data seems malicious, unless he can claim he didn't know what he was downloading until after he downloaded it.
Somebody else stated that downloading data is a normal white hat hacking standard. I am unfamiliar with that. My buddy does this for a living so I'll ask him, but I would assume, just showing you can get to the data is more than enough.
Not really. He can't prove there's a hole without demonstrating it. And he only demonstrated it to Apple.
His other option is to just shrug his shoulders and not bother telling anyone.
He could have obtained the same result by simply submitting information on the vulnerability to Apple with a time-frame for public release. No need to break in and take user information.
So, just wait for the bad guys to figure it out and expose the information. That sounds a lot better.
Except that Apple WAS home.
Do that around here and you're at high risk of getting shot.
And it's not his beer to take out of the fridge.
Yes, I'm aware of certain security flaws in my home. They can be fixed, but at significant cost vs low odds of exploitation. Short of building The Safe House, there will always be security weaknesses, and some self-appointed caretaker will delight in breaching an attractive weakness and showing off - until he finds himself face-down in the dirt in the front yard, handcuffed and waiting for the police to arrive to take him for criminal indictment and a pissed-off homeowner eager to take the stand for the prosecution.
Absurd comment aside posted earlier (invoking Terrorism! Guantanimo! stupidity), breaching one's security is usually not taken well, and this guy made a high-profile breach against a very prideful & secretive company used to coming down on transgressors like a ton o' bricks. Ask the guys involved in the "lost iPhone 4" case how well that went for them - and that was just a prototype lost in a bar, not a prototype stolen from a secured lab.
His story sounds genuine, but no matter what the motive it's still hacking without permission and unfortunately he'll suffer the consequences. For someone clever enough to do it, it's surprising he's dumb enough to go about it the way he did.
It wasn't his business to prove there was a hole. It wasn't his hole to discover, quantify, prove, nor publicize.
And he11 yeah he demonstrated it to more than Apple. There's a lot of us ticked-off developers out here unable to get millions of $$$$ of work done because he "had" to prove the hole, compelling
to slam the doors shut until they can fix his uninvited unauthorized breach.
Perhaps he sent a simple command first to see if he could get his own info... and did.
The next natural thing for a database person to do, is use a wildcard request. Bam! 100,000+ responses before he could stop it.
--
In any case, we don't yet know what his email to Apple said. Maybe he did just give the example command.
And it's been wrong & illegal from day one.
Wandering down the street kicking in front doors and leaving notes in the mailboxes of people whose doors succumbed to being kicked in will never be taken well, no matter how many doors get kicked in and no matter how white the kicker's hat is.
Many folks are saying they got reset emails they didn't request. So either whatever he was doing triggered them or they were phish
It wasn't his business to prove there was a hole. It wasn't his hole to discover, quantify, prove, nor publicize.
And he11 yeah he demonstrated it to more than Apple. There's a lot of us ticked-off developers out here unable to get millions of $$$$ of work done because he "had" to prove the hole, compelling
This, quite frankly, is ridiculous. You've been using a developer portal that has a security flaw. You've been at risk all this time. You'd still be at risk today if it weren't for this researcher.
Apple is doing what they had to do. They'd have had this downtime with or without a massive dissemination of personal information. You got through it WITHOUT the massive dissemination of personal information.
It doesn't matter how careless they are with security. That argument doesn't hold up in court. Because its a baseless argument. He didn't need to actually steal the data. No one asked him to check for leaks. If he wanted to be a good Samaritan and notify Apple of the potential for a leak, then he should have just stopped at his initial bug report with Apple and left it up to them. But then he stole 100k accounts, so Apple would take him more seriously, and goes and publishes some of that info in a Youtube video.
Nope. Sounds douchey to me.