Linked by Thom Holwerda on Mon 22nd Jul 2013 10:10 UTC
Apple "Apple revealed Sunday that its Developer Center suffered a lengthy outage this week following a security breach that may have compromised data, but a security researcher has provided evidence to suggest the shutdown was in response to his identification of a vulnerability." It's no secret that Apple's developer portals are a mix of outdated, crappy technologies, and it seems that this security researcher did good work by making that fact very, very clear for everyone. Would be nice of Apple to acknowledge his work, although as we all know, that's about as unlikely as Pluto blocking the sun, no matter how Apple claims it wants to be "open" about this disaster in its public statement.
Thread beginning with comment 567704
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Unfortunate course of action
by Soulbender on Mon 22nd Jul 2013 10:56 UTC in reply to "Unfortunate course of action"
Soulbender
Member since:
2005-08-18

Unfortunately he had already actually used those bugs to hack into the system and retrieve some data about 73 Apple employee accounts and he claimed to have another 100,000 user details he had secured by exploiting the bugs.


If that's actually true then Apple has no reason in the world to give him any credit. In fact, they should probably turn him in but he seems to have done that himself, more or less.

It is not clear why he did this


Because he's an unethical dumbass?

ibrahim Balic says he is concerned about the impact on his reputation.


Well, sure. Stealing data isn't good for your reputation.

Reply Parent Score: 7

MOS6510 Member since:
2011-05-12

I think the problem is that people looking for bugs on other people's systems don't do it to find 'n' report them, but to see if they can actually be exploited.

It's a bit like checking if doors are locked, which is okay, but what isn't okay is to enter a home and walk around to "proof" the door was unlocked.

I think most us wouldn't mind if some stranger told us we left our car unlocked, but we wouldn't like it if he also told us he sat in our car for a while, taking pictures, checking the radio presets and making copies of documents found on the glove compartment.

Reply Parent Score: 6

lucas_maximus Member since:
2009-08-18

I think most us wouldn't mind if some stranger told us we left our car unlocked, but we wouldn't like it if he also told us he sat in our car for a while, taking pictures, checking the radio presets and making copies of documents found on the glove compartment.


You hit the nail on the head here tbh.

I have contacted site owners (some that had quite a bit of traffic) and told them about SQL injection vulnerabilities (that I pretty much stumbled upon after seeing a MySQL error message bubble up to the surface) and shown them a proof of concept. For the most part, the response was positive.

If it wasn't, I made sure I kept the emails just in case I had to prove my intentions to law enforcement (I have been threatened once or twice after a heads up to a site owner).

Edited 2013-07-23 18:34 UTC

Reply Parent Score: 3