Un expert in securitate informatica a accesat unele informatii a peste 100.000 de conturi iTunes fara acordul Apple

  Ieri v-am spus ca Ibrahim Balic, un expert in securitate informatica, a descoperit un bug care i-a permis sa acceseze informatii ale angajatilor Apple, ale dezvoltatorilor de aplicatii, dar si ale utilizatorilor normali. Conturile a 73 de angajati Apple si cele a 100.000 de utilizatori iTunes au fost accesate de catre Balic printr-o vulnerabilitate a sistemului iAd conceput de catre Apple. Balic a descoperit vulnerabilitatea in data de 18 iunie, impreuna cu altele 13 care au fost trimise mai tarziu la Apple, expertul in securitate sustinand ca request-urile trimise catre serverele Apple prin iAd Workbench pot fi manipulate usor.

It’s too bad, though, that the video seemed so definitive: After showing off images of Apple’s downed Dev Center and the company’s official response, Balic then showed a slew of files that seem to contain full names and email addresses. It seems pretty damning, but Balic says that he never went after the Developer Center site directly, and all that user information he highlighted came from the iAd Workbench. Two separate bugs paved the way for one very confusing video.

  In baza acestei vulnerabilitati a iAd, Balic a scris un script Python care i-a permis sa colecteze toate datele prezentate ieri intr-un clip video, adica miile de conturi iTunes si cele ale angajatilor Apple. Separat de aceasta vulnerabilitate, Balic a descoperit ca prin intermediul unui atac de tipul XSS, portalul dedicat dezvoltatorilor poate fi exploatat, el afirmand ca nu a facut acest lucru. Desi pentru a demonstra vulnerabilitatile a obtinut datele ale dezvoltatorilor, Balic afirma ca ele nu provind din Dev Center si ca nu a preluat alte date din acel portal, Apple afirmand exact acelasi lucru in cursul zilei de ieri.

Throughout our conversation, Balic maintained that he was only ever trying to help Apple. When asked why he downloaded all that user data rather than simply reporting the bug, Balic says he just wanted to see how “deep” he could go. If he wanted to do ill, he says, he wouldn’t have reported everything he found. For what it’s worth, he also says he never attempted to reset anyone’s password — the farthest he went was to email one of the addresses he had discovered and ask if it was really the person’s Apple ID. Balic didn’t get a response.

  In ciuda afirmatiilor facute de catre dezvoltator, daca el este intr-adevar vinovat pentru inchiderea Dev Center-ului, atunci Apple ar putea lua masuri legale impotriva sa si l-ar putea acitona in judecata pentru problemele pricinuite.