Turkish researcher that he hacked into Apple's Developer portal, which
has been offline for more than a week.
Ibrahim Balic, who describes himself as a security consultant, claimed
on Sunday that he had discovered a number of weaknesses in the site at
developer.apple.com which allowed him to grab email addresses of
registered developers.
Apple took its developer portal offline on Thursday 18 July. On Sunday
it emailed developers warning that the site had been hacked and that
some of their details might have been stolen. It has not given any
more details of how the hack was carried out.
In all, Balic said he had been able to grab the details of 100,000
people registered on the site, and that he included 73 of them in a
bug report to Apple. He claimed that he exploited a cross-site
scripting (XSS) bug in the site, and noted 13 issues in a bug report
to Apple between 16 and 20 July.
However XSS attacks generally require the attacker — which in this
case would be Balic — to "infect" a page, in this case Apple's, with a
malicious piece of Javascript or HTML which would then be used to
extract data from a visiting user. If Balic's claim is correct, he
seems to have used the XSS exploits against his own system.
Balic offered to provide proof of his hack by sharing some details of
the file with the Guardian, and provided the emails for 19 people; the
Guardian also extracted another 10 from an email Balic put on YouTube
in which he apparently showed how he hacked the site. (He has since
made the video private.)
But attempts by the Guardian two days ago to contact 29 of the group
whose details Balic claims to have acquired found that seven of the
emails bounced — because the email is no longer operational — and not
a single one of the others has responded to a request to say whether
they are registered with Apple. Nor could any of the emails or names
be discovered online — which would be unusual for any active
developer.
Many of the emails also belong to defunct services such as Freeserve,
Demon and SBC Global — which makes it unlikely that they would have
signed up as developers, as that only became possible in 2008.
Graham Cluley, an independent security consultant, commented: "Many of
the names and email addresses either don't look like they would belong
to Apple developers, or appear to have left no footprints anywhere
else on the net." Of the set of 10 emails which appeared in the video,
he said: "It's almost as though these are long-discarded ghost email
addresses from years ago or have been used by Balic in his video for
reasons best known to himself."
Balic told iMore that the user information that he showed in a video
came not from an exploit against a developer portal, but from Apple's
iAd Workbench, for targeting advertising campaigns to users. He said
that a malformed web request to those servers containing just a first
name or last name meant he could get more data — including a full
name, username and email address for those users.
He then said that he wrote a script that generated "random" users to
get more account information wherever there was a match of some sort,
and used that to acquire the user details.
Balic did not respond to a request by the Guardian to explain why the
emails he had apparently collected were defunct or apparently
inoperational.
Apple refused to comment on the method used to hack into its site. It
would not comment on whether it has called in law enforcement over the
hack, or whether it has identified any suspects.
Even if the hack was not carried out by Balic, Apple has still been
the target of a significant attack. However, standard iTunes Store and
App Store accounts belonging to non-developers have not been affected.
The increasing delay in bringing its developer portal back online may
also create problems for Apple in its preparation for the launch of
iOS 7, the updated version of its iPhone and iPad software. It
released the third beta for the software on 8 July, and has generally
aimed for a fortnightly cycle of releases. That would imply that the
fourth beta should have been released last Monday 22 July – although a
year ago there was a three-week delay, from 16 July to 6 August,
between the releases of the third and fourth betas for iOS 6, the
current iPhone software.
The company meanwhile has set up a new "system status" page, which on
Friday morning showed that only two of its 15 developer systems — for
updating apps, and reporting bugs — are online.
Copyright http://www.guardian.co.uk/
0 comments:
Post a Comment