HOLMDEL: If you opened a malicious website link in iTunes U, a remote learning app, before its last security update, the link could take over the app and access the user’s private information.

It could see the user’s phone number or email address. It could answer assignment questions and, in Holmdel High School junior Giyas Umarov’s own explanation, “basically act like the user whenever (it) wants”.

On Sept 15, Apple credited Umarov for notifying the company of the security problem in its security update. This is the second time Apple has publicly acknowledged Umarov for identifying a security issue.

At 16, Umarov has joined a legion of cybersecurity experts, many employed at specialised research institutions, publicly thanked by Apple for testing and notifying the company of vulnerabilities in its system.

Umarov’s mom Dilek said she first began to realise his knack for cybersecurity when he figured out how to bypass her phone’s screen lock at 10 years old.

“He learned how to remove my passcode so he could use the phone as much as he could. At first, I thought he, like, just saw my password. But then I realised he just found a way,” Dilek said. “So, I just gave up and (understood) that in this case he outsmarted me.”

Umarov said he became interested in cybersecurity because he thought it was interesting how a mistake in a software code could lead to software operating in a completely different way from its intended use.

“You never know what a bug could, like, allow for,” he said.

Umarov began to learn how to hack systems from others online. He said he looks up to cybersecurity experts who have figured out how to bypass lock screens or control iPhones remotely.

Umarov said he was looking for vulnerabilities in Apple’s system when he found his first bug at age 14. He had heard of a protocol where developers can distribute their apps outside the Apple app store using a link. Umarov wanted to figure out if he could bypass the lock screen using the link. So, he opened the camera app, scanned a QR code with a link and unlocked a phone.

Umarov emailed Apple a summary of the issue and suggested a fix.

A year later, Apple released an update and acknowledged Umarov.

Dilek said Apple has confidentiality clauses, “So, (her son) didn’t tell anything, even to us. So, we learn about that when the update came.”

Dilek was giving her four kids breakfast when the news broke. “My second son said, ‘Oh hey mom, do you know Giyas was recognised by Apple?’ And I’m like, ‘Haha, very funny’.”

She went to check the update and thought the acknowledgement was the result of Photoshop.

“I was like ‘What did you do!’ And he’s like ‘Oh Mom, I just found a bug’. I’m like, ‘No, not just found a bug’. He’s like, ‘Mom don’t overreact. It’s just a bug.’ ... Our child found a bug in a very big famous company!”

Neither Dilek nor her husband work in engineering or the sciences and Umarov had never taken a computer science class at that time.

“He did everything by himself. And that was like completely amazing for us. I still can’t understand how he did that, but he did that,” Dilek said.

Umarov now takes advanced placement computer science in high school. He has also read books on the programming language C and Apple’s software. In terms of a career, he said he hopes to do something in computer science or cybersecurity. – Asbury Park Press/Tribune News Service