Apple Developer Site Breached

The original notice on the site Thursday said merely that the site was undergoing maintenance for an extended period. "We'll be back soon", it claimed. But combined with the unexpected reset emails ("Thank you, person who sent password reset requests over and over on my Apple ID all night", tweeted Jacqui Cheng), it was clear that something had happened.

The first update from Apple came late Friday. The message on the site changed. Maintenance is "taking longer than expected." But, "If your program membership was set to expire during this period, it has been extended and your app will remain on the App Store." Still nothing about a breach.

Finally, on Sunday, Apple came clean. The message changed again and was sent out to developers. "Last Thursday," it said, "an intruder attempted to secure personal information of our registered developers from our developer website."

Sensitive data was encrypted, but Apple could not rule out "the possibility that some developers' names, mailing addresses, and/or email addresses may have been accessed." The intruder accessed some email addresses but the passwords were encrypted – hence the attempted password resets.

No Apple customer information was on the affected system. Nevertheless, it comes at an awkward time for Apple and its developers. The site is a major source for software downloads, documentation and development discussion just when both Apple and its developers are gearing up for major new releases of both iOS and OS/X.

"In the spirit of transparency, we want to inform you of the issue", says Apple's statement. "We're completely overhauling our developer systems, updating our server software, and rebuilding our entire database." But it doesn't say exactly what happened nor how it happened – nor does it provide a timeline for when it expects the new site to be available to developers.

London-based researcher Ibrahim Balic claimed on Twitter this morning, "Apple!! This is definitely not an hack attack !!!!!!!!!!!!" Balic claims to have discovered the flaw, among several others, which could have been used to breach the site; and claims to have reported the bugs to Apple. He created a video on the flaw, which is now available on YouTube. If this video had been viewed by the 'hacker', then either a hack could have taken place, or the email addresses that the video displays could have been noted and used in the password reset attempts.

"To my mind", comments Graham Cluley, "that was highly irresponsible of him. Even though you can’t see 100,000 personal details in the video you can determine *some*, and no-one deserves to have their personal information spread across the web like that without their permission."

Clearly not enough is yet known about what actually happened. The flaw does exist. Apple has shut down the site and is hardening it. And Cluley is left wondering if Apple will be tempted to take legal action against Balic.

What’s Hot on Infosecurity Magazine?