Apple's Developer Website Compromised
An email went out to developers on Sunday, reading in part:
Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers' names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.
Apple's Developer Website Compromised: How It Started
At some point on Thursday, visiting the Apple developer site brought you to a page that said “We'll be back soon.” It apologized for the maintenance that was “taking longer than expected,” and stated those accounts due to expire would be granted an extension.
During the days leading up to the hacker announcement, many users took to Twitter describing a similar problem: receiving password reset emails. This led many to believe the developer site had indeed been hacked. Apple's silence on the issue made many suspicious. While some said it could have been a simple glitch, why wasn't Apple responding to either confirm or deny the rumors?
Apple's Developer Website Compromised: Problem Identified
Once Apple came out with the true story, they assured developers their sensitive information was encrypted. They added that the developer site is undergoing a complete makeover, reworking the site and associated systems including servers and databases.
“Having your partners get breached in a hacking attempt is a serious loss of trust for developers,” said Beijing-based Frank Yu, CEO of Kwestr, app developer. “Apple has responded well to allay those fears.”
Others are concerned. “This event shows that our private information and our developer account may be leaked,” said Beijing iOS developer Cui Tong, employee for photo-sharing app PaPa. “I hope Apple will spend more time and resources on security to protect our private information.”
Apple's Developer Website Compromised: Testing, Testing
According to an article on Gigaom, a security researcher has come forward to point out the flaws in Apple's developer site security. He did so in the comments on a Tech Crunch post, stating the following:
“My name is Ibrahim Balic, I am a security researcher. You can also search my name from Facebook's Whitehat list. I do private consulting for particular firms. Recently I have started doing research on Apple Inc.
In total I have found 13 bugs and have reported through http://bugreport.apple.com. The bugs are all reported one by one and Apple was informed. I gave details to Apple as much as I can and I've also added screenshots.
One of those bugs have provided me access to users details etc. I immediately reported this to Apple. I have taken 73 users details (all Apple Inc. workers only) and prove them as an example.”
Gigaom reports that after alerting Apple to the security issue, he then proceeded to download user data on over 100,000 developers in order to test out the bugginess of Apple's site. Of course, he swears this was all done for testing purposes. Erica Ogg, author of the Gigaom article, speculates Balic may be the “hacker. If Apple didn't ask for the help, that may explain its reaction and treating the downloading of its developers' information as a hack.”
No matter what the cause, the problem is worrisome for the company and developers alike, especially with the impending releases of OS X and iOS. Developers have been trying to prepare their software for these new OS versions, slated to be released at some point in the fall. It demonstrates that it doesn't matter who you are, Apple or Windows, or what type of site you are hosting, shared hosting or cheap hosting: hackers are out there looking to get to your sensitive data!