Researcher claims he told Apple of Developer Center vulnerability but didn’t maliciously steal data

Researcher claims he told Apple of Developer Center vulnerability but didn’t maliciously steal ...

Apple revealed Sunday that its Developer Center suffered a lengthy outage this week following a security breach that may have compromised data, but a security researcher has provided evidence to suggest the shutdown was in response to his identification of a vulnerability.

A press statement from Apple said that ‘an intruder’ attempted to secure personal information about registered developers from the site, but the company provided no further details about the incident. While it confirmed a server holding payments details was unaffected, the company did not confirm if user data had leaked out.

UK-based Ibrahim Balic claims that his recent research on Apple saw him unearth 13 bugs from its system, highlighting a hole that could leave data from the Developer Center exposed. Balic claims he showed Apple 73 user accounts from its own workers to illustrate the flaw when he contacted the company to help them fix it. Though he admits he managed to get hold of data from more than 100,000 users, he maintains he did not hack the system for malicious purposes.

Balic suggests that, despite his intention to help the company, Apple viewed his access as a security breach and promptly shut down the Developer Center on Thursday. The firm did not provide an explanation until Sunday.

The independent security researcher says he is “a bit irritated” that Apple cited an attempted security breach as the reason for the developer site outage, and he appears concerned that he will be blacklisted or punished for his efforts. He revealed his story in a comment made in response to an article on TechCrunch.

Here’s the comment in full and unedited, followed by a video he published to support his claim that he was exposing the issue rather than hacking Apple’s system:

Hi there,

My name is ibrahim Balic, I am a security researcher. You can also search my name from Facebook’s Whitehat List. I do private consulting for particular firms. Recently I have started doing research on Apple inc.

In total I have found 13 bugs and have reported through The bugs are all reported one by one and Apple was informed. I gave details to Apple as much as I can and I’ve also added screenshots.

One of those bugs have provided me access to users details etc. I immediately reported this to Apple. I have taken 73 users details (all apple inc workers only) and prove them as an example.

4 hours later from my final report Apple developer portal gas closed down and you know it still is. I have emailed and asked if I am putting them in any difficulty so that I can give a break to my research. I have not gotten any respond to this… I have been waiting since then for them to contact me, and today I’m reading news saying that they have been attacked and hacked. In some of the media news I watch/read that whether legal authorities were involved in its investigation of the hack. I’m not feeling very happy with what I read and a bit irritated, as I did not done this research to harm or damage. I didn’t attempt to publish or have not shared this situation with anybody else. My aim was to report bugs and collect the datas for the porpoise of seeing how deep I can go within this scope. I have over 100.000+ users details and Apple is informed about this. I didn’t attempt to get the datas first and report then, instead I have reported first.

I do not want my name to be in blacklist, please search on this situation. I’m keeping all the evidences, emails and images also I have the records of bugs that I made through Apple bug-report.

Update: The video embed that we initially published has been removed because it is no longer available.

We’ve reached out to Apple as we try to ascertain further information about the alleged security breach and Balic’s claim.

Headline image via nechbi / Flickr

Read next: Restaurant guide Zomato introduces social features and goes live in 5 new cities worldwide