Apple Developer Website Hacked – What Happened?
If you haven’t heard yet that Apple’s Developer Center was recently hacked, you’ve probably living on a different planet (or don’t care about Apple). So what actually happened?
It all started on 18th July 2013 when Apple’s Developer website went offline for maintenance.
This isn’t actually that uncommon; but the downtime is normally limited to a few minutes. By the time 24 hours had elapsed developers were taking to Twitter to express their annoyance. The Apple Developer website is used to download pre release versions of the software and manage devices and certificates. For some developers this meant a delay in launching their app.
The following day Apple changed the maintenance message to the one shown below:
This update did, to a certain extent, keep developers happy who were worried that their membership was about to expire.
On the 21st of July, with rumors starting to emerge about a possible security breach, Apple sent its developers the following message:
Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.
In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.
Is it just me or doesn’t this message actually make sense? It starts by reassuring developers that ‘Sensitive personal information was encrypted and cannot be accessed’. It moves on to say that they can not ‘rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed.’ Does this not fall under the sensitive information that can not be accessed? Apparently not.
The second paragraph explains what Apple are doing to get the system back online. I still find their wording very peculiar. Shouldn’t the server software already be kept up to date?
What actually happened?
If I could give you a simple answer then we probably wouldn’t be in this situation in the first place.
A few days after the security breach a Turkish security research called Ibrahim Balic came forward to claim responsibility. It was actually a rather strange acknowledgment, as he admits that he was probably the cause.
His initial discovery was related to Apple’s iAd Workbench. He discovered that when sending altered web requests, he was able to get users full name and email addresses. He claims that his actions had good intentions and he sent a bug report to apple detailing his findings. Just 73 users details, all of which were Apple employees, were included in the bug report.
Was this security risk really responsible for the developer center outage? I think not. At the same time as writing the bug report, he reported 12 other security bugs. All of which related to XSS (cross-site scripting) vulnerabilities. They can all be seen below:
Does any of this actually make any sense? If he was a security researcher, why did Apple say it was the work of an intruder? I think that a security researcher might have sounded a bit better given the situation.
Balic thought Apple’s statement was strange so he released a YouTube video (that has since been taken offline) to set the record straight. The video seemed to only make his situation worse, so I guess that was why it was deleted.
A different theory was that a malicious intruder had hacked into the Dev Center. Many developers reported receiving password reset requests in the days leading up to the 18th July. Balic was very quick to deny any responsibility for these requests, and so maybe another security threat is at play.
My personal opinion is that Balic’s bug reports happened to have the same time line to the hackers. Balic used the official channel and there was no indication that the exploits were shared publicly, I would have therefore thought that Apple would silently release a patch. Taking the entire site offline seems very dramatic.
Today, 25th July I received another email from Apple giving a further update. The email provided a link to a new status page that will be updated as the systems come back online.
I do not think for one minute that we have heard the last of this incident. I think we should all understand that this is clearly a very serious situation and without the full information it would be unwise to speculate.
How much damage could this security breach have on Apple’s reputation? Leave a comment below.