Apple developer center hacked by security researcher?

The mystery of why Apple’s Developer Center has been inaccessible for users since last Thursday has apparently been solved, as UK-based security researcher Ibrahim Balic claims that the outage is due to its penetration testing efforts.

Apple first tried to placate users with a short notice saying that maintenance is taking longer then expected, but as the days went by many have speculated that the real reason of the blackout was a security breach.

In the meantime, some of the users started receiving password reset emails for their accounts.

Then, on Sunday, the company admitted that an intruder tried to access personal information of their registered developers.

“Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed,” they stated, and added that they are completely overhauling their developer systems, updating their server software, and rebuilding their entire database in order to prevent such a breach from happening again.

“If your program membership was set to expire during this period, it has been extended and your app will remain on the App Store,” they reassured the developers.

The company also stated for Macworld that that the website that was breached was not associated with any customer information, and that it was not possible for the attacker to access app code or the servers where app information is stored.

Finally, earlier today, there was an unexpected development to the story, as Balic explained his involvement in a comment to a TechCrunch article about the outage:

Hi there,

My name is ibrahim Balic, I am a security researcher. You can also search my name from Facebook’s Whitehat List. I do private consulting for particular firms. Recently I have started doing research on Apple inc.

In total I have found 13 bugs and have reported through http://bugreport.apple.com. The bugs are all reported one by one and Apple was informed. I gave details to Apple as much as I can and I’ve also added screenshots.

One of those bugs have provided me access to users details etc. I immediately reported this to Apple. I have taken 73 users details (all apple inc workers only) and prove them as an example.

4 hours later from my final report Apple developer portal gas closed down and you know it still is. I have emailed and asked if I am putting them in any difficulty so that I can give a break to my research. I have not gotten any respond to this… I have been waiting since then for them to contact me, and today I’m reading news saying that they have been attacked and hacked. In some of the media news I watch/read that whether legal authorities were involved in its investigation of the hack. I’m not feeling very happy with what I read and a bit irritated, as I did not done this research to harm or damage. I didn’t attempt to publish or have not shared this situation with anybody else. My aim was to report bugs and collect the datas for the porpoise of seeing how deep I can go within this scope. I have over 100.000+ users details and Apple is informed about this. I didn’t attempt to get the datas first and report then, instead I have reported first.

I do not want my name to be in blacklist, please search on this situation. I’m keeping all the evidences, emails and images also I have the records of bugs that I made through Apple bug-report.

He also included a video in which he demonstrated how he was able to access these user details, and explained that he will be deleting all the data he took from Apple’s servers.

Apple is yet to confirm whether any of Balic’s claims are true or to set a date for when the site will be reopened.