Turkish security researcher claims to have found flaw in system, which has been offline since Thursday as company ‘rebuilds and strengthens’ security around databases
Apple says its Developer portal has been hacked and that some information about its 275,000 registered third-party developers who use it may have been stolen.
The portal at developer.apple.com had been offline since Thursday without explanation, raising speculation among developers first that it had suffered a disastrous database crash, and then that it had been hacked.
A Turkish security researcher, Ibrahim Balic, claims that he was behind the “hack” but insisted that his intention was to demonstrate that Apple’s system was leaking user information. He posted a video on Youtube which appears to show that the site was vulnerable to an attack, but adding “I have reported all the bugs I found to the company and waited for approval.” A screenshot in the video showed a bug filed on 19 July – the same day the site was taken down – saying “Data leaks user information. I think you should fix it as soon as possible.”
The video appears to show developer names and IDs. However, a number of the emails belong to long-deprecated services, including Demon, Freeserve and Mindspring. The Guardian is trying to contact the alleged owners of the emails.
Balic told the Guardian: “My intention was not attacking. In total I found 13 bugs and reported [them] directly one by one to Apple straight away. Just after my reporting [the] dev center got closed. I have not heard anything from them, and they announced that they got attacked. My aim was to report bugs and collect the datas [sic] for the purpose of seeing how deep I can go with it.”
Apple said in an email to developers late on Sunday night that “an intruder attempted to secure personal information of our registered developers… [and] we have not been able to rule out the possibility that some developers’ names, mailing addresses and/or email addresses may have been accessed.”
It didn’t give any indication of who carried out the attack, or what their purpose might have been. Apple said it is “completely overhauling our developer systems, updating our server software, and rebuilding our entire database [of developer information].”
Some people reported that they had received password resets against their Apple ID – used by developers to access the portal – suggesting that the hacker or hackers had managed to copy some key details and were trying to exploit them.
If they managed to successfully break into a developer’s ID, they might be able to upload malicious apps to the App Store. Apple said however that the hack did not lead to access to developer code.
The breach is the first known against any of Apple’s web services. It has hundreds of millions of users of its iTunes and App Store e-commerce systems. Those systems do not appear to have been affected: Apple says that they are completely separate and remained safe.
Apple’s Developer portal lets developers download new versions of the Mac OS X and iOS 7 betas, set up new devices so they can run the beta software and access forums to discuss problems. A related service for developers using the same user emails and passwords, iTunes Connect, lets developers upload new versions of apps to the App Store. While developers could log into that service, they could not find or update apps and could not communicate with Apple.
But if the hack provided access to developer IDs which could then be exploited through phishing attacks, there would be a danger that apps could be compromised. Apps are uploaded to the App Store in a completed form – so hackers could not download “pieces” of an existing app – and undergo a review before being made publicly available.
High-profile companies are increasingly the target of increasingly skilful hackers. In April 2011, Sony abruptly shut down its PlayStation Network used by 77 million users and kept it offline for seven days so that it could carry out forensic security testing, after being hit by hackers – who have never been identified.
It has also become a risk of business for larger companies and small ones alike. On Saturday, the Ubuntu forums were hacked, and all of the passwords for the thousands of users stolen – although they were encrypted. On Sunday, the hacking collective Anonymous said that it hacked the Nauruan government’s website.
On Sunday, the Apple Store, used to sell its physical products, was briefly unavailable – reinforcing suspicions that the company was carrying out a wide-ranging security check. The company has not commented on the reasons for the store going down.
Marco Arment, a high-profile app developer, noted on his blog before Apple confirmed the hack that ” I don’t know anything about [Apple’s] infrastructure, but for a web service to be down this long with so little communication, most ‘maintenance’ or migration theories become very unlikely.”
He suggested that the problem could either be “severe data loss” in which restoring from backups has failed – but added that the downtime “is pretty long even for backup-restoring troubles” – or else “a security breach, followed by cleanup and increases defenses”.
Of the downtime, he said “the longer it goes, especially with no statements to the contrary, the more this [hacking hypothesis] becomes the most likely explanation.”