Apple closes developer site after researcher's intrusive hack

After keeping developers in the dark for four days, Apple acknowledged on Sunday that a website it maintains for about 275,000 developers had been taken offline because of security concerns.

"Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website," the company explained in a notice posted at the site. "Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers' names, mailing addresses, and/or email addresses may have been accessed."

"In order to prevent a security threat like this from happening again, we're completely overhauling our developer systems, updating our server software, and rebuilding our entire database," Apple said.

Apple did not respond to a request to comment on the breach for this story, but told TechCrunch that it waited three days before informing developers of the breach in order to make a proper assessment of what data had been exposed in the breach.

The company added that no credit card numbers were compromised, and neither were any iTunes accounts.

Some developers say they're inconvenienced by the shutdown but relatively sanguine about it. "It didn't affect us and we are happy how the situation was handled by Apple," Simonas Bastys, a member of the development team at Pixelmator, said in an email.

John Gruber, a developer who also runs the Daring Fireball blog, said in an email,Ã'Â "I can say, so far, that the outage has been a minor inconvenience."

"My team can't access WWDC session videos, for example" Gruber said. "Not a show stopper, but annoying."

A Turkish security researcher, Ibrahim Balic, said he found the vulnerability in the website and informed Apple about it. He noted in a tweet: "Apple!! This is definitely not an hack attack !!! I am not a hacker, I do security research."

[Also see: Business lessons learned in iCloud hack]

In a comment posted to TechCrunch, Balic said he'd reported 13 bugs to Apple. One of them allowed him to access user details at the developer site.

At first he extracted information for 73 Apple employees and sent them to Apple as a sort of proof of concept. Apparently, he kept exploiting the vulnerability to test its scope and now has the details of more than 100,000 users.

Balic did not respond to a request for comment for this story.

The researcher is being criticized by some security pros for his conduct. "Without Apple's explicit authorization to conduct penetration tests on their website, even with good intentions the act was unethical," said Richard Westmoreland, a security analyst with SilverSky.

However, Westmoreland said that exposing the vulnerability kept Apple from falling prey to watering hole attack, a targeted attack on a special interest website.

"If the attack had remained undetected, the portal could have been used in a watering hole attack similar to what compromised Facebook developers' machines earlier this year," Westmoreland said.

Kevin O'Brien, an enterprise solutions architect with CloudLock, noted that what Balic did was illegal under U.S. law, but the ethical dimensions of his actions are a bit murky. "In this case," O'Brien said in an email, "the researcher went public in a way that damaged Apple reputationally if not financially."

"While the full details of what, when and how this information was disclosed are still under wraps and will likely remain so, the determination of whether or not this was an ethical hack is contingent upon whether Apple was given sufficient advance notice of the exploit before the breach was made known to the broader security community," he said.

Balic's actions after penetrating Apple's website troubles Kevin Morgan, CTO of Arxan. "Once he found a flaw that allowed him to access any internal records, was it ethical to extract those records," Arxan told CSOonline. "No. It was not. It was a clear violation of proprietary information, and a variety of laws as well."

Chet Wisniewski, a security advisor with Sophos, said Balic certainlyÃ'Â acted irresponsibly, but Apple, while a victim, isn't totally blameless. "Apple's reluctance to engage the security community openly is probably what led to this," he said in an interview.

"What this researcher did was illegal," Wisniewski said. "It's a crime and it's not very bright to do that, but had Apple engaged him, he probably wouldn't have done it."

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Appleapplicationshacksoftwaredata protectionData Protection | Data Privacy

More about AppleApple.FacebookMorganPixelmatorSophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place