Apple Developer Center Was Hacked

mercurial

mercurial

MyBB Legend
Joined
Jun 12, 2007
Messages
40,900
Reaction score
2,693
Location
/\/¯¯¯¯¯\/\
Apple’s developer site was accessed by “an intruder” last Thursday, the company has disclosed, and Apple has not ruled out the possibility that developers’ names, mailing addresses and/or email addresses were compromised.

The company just sent developers an email explanation, after pushing them off for the past three days with notices that the developer site was down for maintenance.

It appears that the potentially vulnerable names and addresses had not been encrypted. By contrast, Apple said developers’ “sensitive personal information” was encrypted, so it has not been accessed.

Before it reopens the developer site, Apple is “completely overhauling our developer systems, updating our server software, and rebuilding our entire database,” the email said.

Apple spokesman Tom Neumayr said he would not go into further detail about the weakness of the old system or the improvement of the new system, but he noted that no customer information was impacted.

“The website that was breached is not associated with any customer information,” Neumayr said. “Additionally, customer information is securely encrypted.”

The Apple developer site — which allots access to iOS 7, OS X Mavericks and other development kits, helps developers allocate apps to beta testers, and also includes popular developer-only forums — went down Thursday, and was first marked with a notice saying it was down for maintenance.

Later, it was updated with a notice saying, “We apologize that maintenance is taking longer than expected.” Developers were told that their memberships that would have expired during the downtime had been automatically extended.

Extended downtime is rare, and developers had wondered what was up, with some, including Marco Arment, theorizing that there had been some sort of security breach.

Here’s the full notice:

Apple Developer Website Update

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.
Click to expand...

Source
 
Report: Turkish researcher admits to Apple Developer Center hack (update)

A Turkish security researcher has come forward saying he is responsible for hacking Apple's Developer Center last week, stating he did so to expose flaws in Apple's system, reports The Guardian.

The report states that researcher Ibrahim Balic posted a video to YouTube, which has since been marked private, in which he demonstrates the ways in which Apple's site was vulnerable. The Guardian also states the video shows developer names and IDs, although a handful of the displayed emails belong to "long-deprecated services" like Freeserve and Mindspring.

"I have reported all the bugs I found to the company and waited for approval," Balic said in the video, showing a screenshot of a bug filing dated July 19, the day after the developer portal was pulled. "I think you should fix it as soon as possible."

Balic later took down the video, stating he did not mean to share the confidential information.

"My intention was not attacking," Balic told The Guardian. "In total I found 13 bugs and reported [them] directly one by one to Apple straight away. Just after my reporting [the] dev center got closed. I have not heard anything from them, and they announced that they got attacked. My aim was to report bugs and collect the datas [sic] for the purpose of seeing how deep I can go with it."

In an email to developers late Sunday night, Apple wrote that "an intruder attempted to secure personal information of our registered developers...[and] we have not been able to rule out the possibility that some developers' names, mailing addresses and/or email addresses may have been accessed." Some users also received emails asking them to reset their Apple ID passwords, suggesting some personal details were leaked. However, the company confirmed that the hack did not compromise any developer code.

Apple also stated it would begin "completely overhauling our developer systems, updating our server software, and rebuilding our entire database [of developer information]."

Polygon has reached out to Apple for more information and will share details as we receive them.

Update: Reader Andrew found a cached version of Balic's video on Archive.org and shared it with us. It can be viewed here. Thanks, Andrew!
Click to expand...
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X