Apple left red-faced over Developer Center website hacked

gary · #1 23-07-2013, 05:22 PM

Received the following email from Apple this morning, 23rd July at 11:13 AEST -

Quote:

Originally Posted by Apple Inc

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.

The Apple Developer web site has been offline since Thursday July 18th
for what Apple described as "maintenance".

However, the company waited 3 to 6 days before alerting developers that their personal
data may have been accessed.

Now, UK-based Turkish security researcher, Ibrahim Balic, has claimed
responsibility for the attacks, but insists it was for legitimate security research.

Balic claims he found 13 bugs with the Apple Developer web site that allowed him
to compromise it and was able to access "over 100,000+ user details".

Apple claims that whilst most of the compromised data was encrypted, that of the
developer's names were not.

Story here -
http://www.independent.co.uk/life-st...s-8725987.html

pluto (Hugh) · #2 23-07-2013, 05:41 PM

"Originally Posted by Apple Inc...
...In the spirit of transparency,..."

Thanks for posting this, I needed a little chuckle

Seriously though it's a worrying trend that companies are punishing legitimate security researchers who point out flaws in their systems for the purpose of making them safer rather than exploiting them for commercial gain. Of course this isn't just Apple, though they do have a history of quietly sweeping security issues under the rug in an effort to preserve their image of "it just works".

iceman (Mike) · #3 23-07-2013, 05:43 PM

It's affected us at work too, can't upload a new patch of one of our apps!

Steffen · #4 23-07-2013, 06:09 PM

Quote:

Originally Posted by pluto

Seriously though it's a worrying trend that companies are punishing legitimate security researchers who point out flaws in their systems for the purpose of making them safer rather than exploiting them for commercial gain. Of course this isn't just Apple, though they do have a history of quietly sweeping security issues under the rug in an effort to preserve their image of "it just works".

Well, he hasn't been punished yet, although he ought to be. No ethical and legitimate security researcher will break into a site without permission, just to make a point. If he ever had a CISSP (certifying that he is a legitimate security worker) he's going to lose it now. At work, when we do penetration tests for paying clients me make doubly sure that all paperwork is in place and all affected parties are informed before proceeding. His cowboy antics could well land this guy in jail.

Also, Apple doesn't secretly fix security flaws. All their security fixes are published in security bulletins and due credit is given to the discovers of the vulnerabilities.

Cheers
Steffen.

pluto (Hugh) · #5 23-07-2013, 10:58 PM

Quote:

Originally Posted by Steffen

Well, he hasn't been punished yet, although he ought to be. No ethical and legitimate security researcher will break into a site without permission, just to make a point. If he ever had a CISSP (certifying that he is a legitimate security worker) he's going to lose it now. At work, when we do penetration tests for paying clients me make doubly sure that all paperwork is in place and all affected parties are informed before proceeding. His cowboy antics could well land this guy in jail.

Also, Apple doesn't secretly fix security flaws. All their security fixes are published in security bulletins and due credit is given to the discovers of the vulnerabilities.

Cheers
Steffen.

Fair enough, thanks for the info.
I guess that leaves me with the question of why he would have done it the way he did then?. I mean if he was a professional then surely he would have known the protocol to follow when conducting this type of research and if he was trying to do something bad then surely he wouldn't have told Apple about it and put his hand up in public afterwards... perhaps he just wanted to see how far he could get...?

Obviously I don't read computer security news but it seems to me there are similar cases to this every now and then, I suppose I find it strange that there are that many skilled people doing this stuff with good intentions but going about it the wrong way, after all that type of work requires some serious learning and thinking skills. I've interpreted that to mean that the companies are reacting harshly to these people but I see your point.