Apple Credits Security Researcher Balic, But Not For Vulnerability Related To Developer Center

A recent posting on Apple’s Web Server notifications page issues credit to Ibrahim Balic, 7Dscan.com and SCANV of Knownsec.com for the discovery of two web security issues. Balic, you may recall, discovered a vulnerability that he later publicly claimed was responsible for the weeks-long outage of Apple’s Developer Center.

The posting was discovered by 9to5Mac.com who claimed that Apple was crediting Balic with reporting the issue that took down the Dev Center.

However, my sources confirm that Balic’s report is not responsible for the outage. The issue that Balic reported had nothing to do with why Apple took down the developer center. That was a completely separate vulnerability. Indeed, the entry related to Balic is annotated with the iAd Workbench portal address, not the Developer Center address.

Screen Shot 2013-08-20 at 10.59.01 AM

The vulnerability reported directly below Balic’s entry was credited to 7dscan.com and SCANV and is annotated with Apple’s Developer Center address. It seems far more likely that these two researchers are the ones who discovered the remote code execution vulnerability in the Developer Center which caused the outage. For researchers who are in this game, the credit from a company is the reward, so they most likely reported it to Apple. Once it had been confirmed, Apple was worried enough to take the Dev Center down to fix the problem.

The fact that Balic was not responsible for the aggressive response and rebuilding of the Developer Center by Apple was previously posited by John Paczkowski at AllThingsD and Charles Arthur at The Guardian. Our own Chris Velazco also spoke at length to Balic about his breach of the iAd portal. He also expressed skepticism that Balic’s report was the cause of the Developer Center outage. It turns out that this was the correct deduction.

Balic maintained that he was simply performing research (for which he has been thanked by other companies) and retained no user information. He went public with the security issues related to the Dev Center in a YouTube video after he says he got no response from Apple.

When contacted to inquire about the actual cause of the Developer Center outage, Apple declined to comment.

Image Credit: Flickr/Martin Abegglen