CUPERTINO, Calif.—Apple doesn’t believe in transparency as much as it believes in the spirit of transparency, which means they will be transparent when they feel like it, like now… sort of. Apple took its Developer’s Site offline Thursday but didn’t explain why until yesterday, when it posted the following statement to the still-shuttered site:
We’ll be back soon.
Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.
In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.
If your program membership was set to expire during this period, it has been extended and your app will remain on the App Store. If you have any other concerns about your account, please contact us.
Thank you for your patience.
The three-day delay in reporting the incident has been criticized by some—Graham Cluley, a security expert, called it “disappointing”—while others have said it was fast for such a big company. "Some companies take weeks or months to act on something like this,” said security researcher Marcus J. Carey. “I give them credit for acting fast."
The story took another turn yesterday when TechCrunch posted an article about the incident and a commenter said that he was responsible for the hack which wasn’t a hack.
“Hi there,” wrote the commenter. “My name is ibrahim Balic, I am a security researcher. You can also search my name from Facebook's Whitehat List. I do private consulting for particular firms. Recently I have started doing research on Apple inc.
“In total I have found 13 bugs and have reported through http://bugreport.apple.com,” he continued. “The bugs are all reported one by one and Apple was informed. I gave details to Apple as much as I can and I've also added screenshots.
“4 hours later from my final report Apple developer portal gas closed down and you know it still is,” he added. “I have emailed and asked if I am putting them in any difficulty so that I can give a break to my research. I have not gotten any respond to this... I have been waiting since then for them to contact me, and today I'm reading news saying that they have been attacked and hacked.”
Today, TechCrunch posted another article with updated information from and about Balic in an attempt to clarify just what happened. It’s still kind of a one-sided investigation, however.
“Is it possible that Balic’s poking around caught Apple’s attention and prompted the company to take the developer site down?” wrote Chris Velasco. “Yes. The iAd Workbench may fall under the same broad umbrella as the Dev Center, and the Add User functionality that once appeared in the iAd Workbench seems to have disappeared. Only people within Apple really know what’s going on, and they’re just not feeling very chatty at the moment; I’ll update this post if they respond.”
If and when they are in the spirit of transparency, that is.