Wednesday, May 18, 2016

New Details Emerge on Security Resrcher Potentially Responsible for Dev Center Outage

rly this morning, independent security resrcher Ibrahim Balicspeculatedthat he may responsible for thesecurity brchthat caused an extended outage of 's Developer Center, which hasbeen offlinesince late last week.

Despite Balic's claim that he reported his findings directly to and did not intend to act maliciously, information that he gave in an interview withTechCrunchsuggests somewhat questionable behavior.

Balic, who has reported 13 different bugs to , originally discovered an iAd Workbench vulnerability on June 18 that allowed a request sent to the server to be manipulated. This security hole could be used to acquire the names and email addresses of iTunes users (even non-developers). After finding the loophole, Balic wrote a Python script to harvest data from the vulnerability and then displayed it in a YouTube , which may have put him on 's radar.

A screenshot of Balic's submitted bug reports. Click to enlarge.
In addition to the iAd Workbench bug, Balic also discovered and submitted a report on a bug that caused the Dev Center site to be vulnerable to a stored XSS attack. While Balic says that it was possible to access user data by ing the Dev Center issue, he claims that he did not do so. According toTechCrunch, Balic's YouTube (which has since been removed) contained full names and email addresses, and it is unclr where they originated.
It's too bad, though, that the seemed so definitive: After showing off s of 's downed Dev Center and the company's official response, Balic then showed a slew of files that seem to contain full names and email addresses. It seems pretty damning, but Balic says that he never went after the Developer Center site directly, and all that user information he highlighted came from the iAd Workbench. Two separate bugs paved the way for one very confusing .Balic claims that he harvested data on 73 employees and 100,000 other iTunes users, but he says that he did not use the Developer Center that he first submitted on July 16, instd garnering the data from the iAd Workbench issue.

TechCrunchreports that the data that Balic gained (limited to email addresses and IDs) may have come from non-developer accounts, though has clrly stated that only developer accounts were affected.
Throughout our conversation, Balic maintained that he was only ever trying to help . When asked why he downloaded all that user data rather than simply reporting the bug, Balic says he just wanted to see how "deep" he could go. If he wanted to do ill, he says, he wouldn't have reported everything he found. For what it's worth, he also says he never attempted to reset anyone's — the farthest he went was to email one of the addresses he had discovered and ask if it was rlly the person's ID. Balic didn't get a response.Due to the ambiguity of the source of the names and email addresses shown in Balic's , it is unclr whether or not he caused the Dev Center outage by manipulating the iAd Workbench bug and it is equally unclr what his intentions were.

No comments:

Post a Comment