It’s looking like a rough morning for both Apple and a researcher that reportedly breached Apple’s developer site late last week.
Apple announced this morning that the developer site had been breached on Thursday (whoops), saying an “intruder” had potentially accessed developers’ names, mailing addresses, and/or email addresses. It would seem that the researcher responsible for the breach got nervous at the thought that he was being categorized as a digital burglar. In a video defending his actions, the researcher Ibrahim Balic said that he had reported 13 bugs on the developer site to Apple, which gave him access to developers’ information. Unfortunately, his video also includes some of those developers’ details (ouch).
This story is full of missteps on both sides: Apple did take their site down within a few hours of the report of the breach, but they waited several days to announce it to developers. Balic may have quietly, responsibly disclosed the vulnerabilities to Apple, but then he effectively doxed the developers whose information he stumbled upon.
If the details of the story as we now know it are accurate, this might have been a win for all concerned. Balic was ostensibly testing Apple’s site to help improve their security, even if it was an un-requested test. If Apple had more quickly and more neutrally reported the event, this could have been a quick blip on the media radar that resulted in better security for all. Instead, Apple delayed reporting and used inflammatory words to describe the event. Then Balic got twitchy and released information of Apple developers that likely had nothing to do with this decision. Egg on face, all around!
At any rate, it’s worth reiterating that this breach only pertains to the developer site, not to other Apple sites. The information that was accessed was not app code or data, nor was it credit card information. The breached site is down for now, and Apple is working to secure it before bringing it back up.
photo credit: Tim . Simpson via photopin cc
