Security researcher used iAd Workbench exploit to hack Apple’s dev center

By , Jul 23, 2013

iAd Workbench (MacBook Air teaser)

Last Thursday, an intruder attempted to secure personal information from Apple’s developer website. The company immediately took the dev center offline, and at the time of this writing it’s still down, in order to rebuild its systems in a way that this won’t happen again.

But just exactly how did it happen? Well according to Turkish security researcher Ibrahim Balic, who is claiming responsibility for the outage, he was able to infiltrate Apple’s servers thanks to an exploit he discovered in the recently released iAd Workbench software…

TechCrunch’s Chris Velazco spoke with Balic, who says that after discovering bugs for Facebook and other sites, he recently turned his attention to Apple. And he’s actually done quite well, sending 13 new bugs to the iPad-maker since he began his research on July 16.

iad-exploit-w

But there’s one exploit in particular that seems to be getting the lion’s share of attention, and that’s bug #14488816. Balic highlighted the find in his video (which has since gone private) and claims he reported it to Apple on July 18—hours before the dev center went down.

“That little security issue is centered around Apple’s iAd Workbench, a recently launched tool that lets users craft and target iAd campaigns to better build hype around their iOS apps. Balic discovered that if you manipulated a request sent to the server that runs Workbench, it would allow you to try to add a new user to the account. From there you could try throwing in first names, last names — whatever really — and the server would then respond with a full name and email address. Once Balic understood the full scope of the problem, he (and this is where his rationale loses me a bit) wrote a Python script to scrape all the data he could find and showed some of it on YouTube.”

As for the dev center itself, Balic submitted a bug report (#14461474) to Apple on July 16 that dealt with the dev center’s vulnerability to a stored XSS attack. He said that it was technically possible to access user data by exploiting this issue as well, but he never attempted it.

Ibrahim remains adamant that his intentions were not malicious, and it’s worth noting that Apple has confirmed that no credit card data, or any other sensitive information, was compromised. It’s still unclear, though, how much longer the developer center will be down.

  • Share:
  • Follow:
  • Jaye

    Suck a fat one for delaying Beta 4.

    • Yup

      You are P A T H E T I C. Think about that.

      • Jaye

        I did. Now I’m going to cry like a little baby.

  • Joseph

    “And he’s actually done quite well, sending 13 new bugs to the iPad-maker since he began his research on July 16.”

    …Foxconn? Because last I checked, Apple designed the device, they don’t make the parts and sure as hell don’t assemble them.

    • Linuxcooldude

      Moot point, most other computers are made by Foxconn like Dell, XBox, HP ect. Just trying to downplay Apple.

      • Joseph

        It was a joke, so.

      • Rahnold

        Not a very good one.. ;P

  • ✪ aidan harris ✪

    One thing that I don’t get though is that if it’s possible to encrypt passwords why not encrypt everything? That way even something as simple as a name or email address is useless if leaked / retrieved since it is encrypted…

    • Daniel Beecham

      Email Address And Names Looks Like the are not Encrypted, but the Credit Card And Bank stuff Are!!!

      • ✪ aidan harris ✪

        That was the point I was trying to make! Why is this though or if everything was encrypted would it require extra processing power in order to decrypt it?

      • Ru1Sous4

        I wanna know the answer for that too…

    • Tristan

      Because that would make sense. We can’t have that.

    • Maxim∑

      passwords are encrypted through a separate server, emails are stored in plain text and are attached to the encrypted credentials. The emails are not encrypted mainly so Apple can ID accounts I guess it would take to long for them to decrypt it every single time, if you go to apple and view the code for a log in it will look like this:
      script.src=
      Userername)%(your email)
      $password$: (just dots) md5 checksum 3294832948230asdf291!
      server ID key:90383adjai93n (your encryption ID here)

      numbers are just random :)