Skip Links

Apple closes developer site after researcher's intrusive hack

By John P. Mello, CSO
July 23, 2013 10:21 AM ET

CSO - After keeping developers in the dark for four days, Apple acknowledged on Sunday that a website it maintains for about 275,000 developers had been taken offline because of security concerns.

[ALSO: 12 of the worst data breaches of 2013, so far]

"Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website," the company explained in a notice posted at the site. "Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers' names, mailing addresses, and/or email addresses may have been accessed."

"In order to prevent a security threat like this from happening again, we're completely overhauling our developer systems, updating our server software, and rebuilding our entire database," Apple said.

Apple did not respond to a request to comment on the breach for this story, but told TechCrunch that it waited three days before informing developers of the breach in order to make a proper assessment of what data had been exposed in the breach.

The company added that no credit card numbers were compromised, and neither were any iTunes accounts.

Some developers say they're inconvenienced by the shutdown but relatively sanguine about it. "It didn't affect us and we are happy how the situation was handled by Apple," Simonas Bastys, a member of the development team at Pixelmator, said in an email.

John Gruber, a developer who also runs the Daring Fireball blog, said in an email,A'A "I can say, so far, that the outage has been a minor inconvenience."

"My team can't access WWDC session videos, for example" Gruber said. "Not a show stopper, but annoying."

A Turkish security researcher, Ibrahim Balic, said he found the vulnerability in the website and informed Apple about it. He noted in a tweet: "Apple!! This is definitely not an hack attack !!! I am not a hacker, I do security research."

[Also see: Business lessons learned in iCloud hack]

In a comment posted to TechCrunch, Balic said he'd reported 13 bugs to Apple. One of them allowed him to access user details at the developer site.

At first he extracted information for 73 Apple employees and sent them to Apple as a sort of proof of concept. Apparently, he kept exploiting the vulnerability to test its scope and now has the details of more than 100,000 users.

Balic did not respond to a request for comment for this story.

The researcher is being criticized by some security pros for his conduct. "Without Apple's explicit authorization to conduct penetration tests on their website, even with good intentions the act was unethical," said Richard Westmoreland, a security analyst with SilverSky.

However, Westmoreland said that exposing the vulnerability kept Apple from falling prey to watering hole attack, a targeted attack on a special interest website.

"If the attack had remained undetected, the portal could have been used in a watering hole attack similar to what compromised Facebook developers' machines earlier this year," Westmoreland said.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News