Options
Apple was hacked via its "outdated, crappy technologies"
alanwarwic
Posts: 28,396
Forum Member
✭✭✭
http://thenextweb.com/apple/2013/07/22/researcher-claims-he-told-apple-of-developer-center-vulnerability-but-didnt-maliciously-steal-data/
As there was access to 100,000 users data I'd assume 100,000 passwords have now been reset.
"In total I have found 13 bugs and have reported through http://bugreport.apple.com. The bugs are all reported one by one and Apple was informed. I gave details to Apple as much as I can and I’ve also added screenshots.
One of those bugs have provided me access to users details etc. I immediately reported this to Apple. I have taken 73 users details (all apple inc workers only) and prove them as an example.
4 hours later from my final report Apple developer portal gas closed down and you know it still is."
I guess with a bit of wider publicity and 'we prefer not to know' Apple might just let him back in.
I do wonder how many first trespassed without telling
As there was access to 100,000 users data I'd assume 100,000 passwords have now been reset.
"In total I have found 13 bugs and have reported through http://bugreport.apple.com. The bugs are all reported one by one and Apple was informed. I gave details to Apple as much as I can and I’ve also added screenshots.
One of those bugs have provided me access to users details etc. I immediately reported this to Apple. I have taken 73 users details (all apple inc workers only) and prove them as an example.
4 hours later from my final report Apple developer portal gas closed down and you know it still is."
I guess with a bit of wider publicity and 'we prefer not to know' Apple might just let him back in.
I do wonder how many first trespassed without telling
0
Comments
It looks like he reported 13 bugs and as they were still not actioned he went and confirmed the seriousness of the security hole.
Only after supplying proof did action take place, and rather than bothering to speak to him direct, they instead closed down that server impacting on the 100,000 developer accounts there.
The next security developer would be far wiser selling their expose to the Telegraph or Panorama. You are less likely to get life in a US prison that way.
I'm not sure if Apple actually reported him to US law enforcement agencies but it is almost implied that he is now a wanted criminal.
"as company 'rebuilds and strengthens' security around databases".
"Theft".
"My intention was not attacking. In total I found 13 bugs and reported [them] directly one by one to Apple straight away. Just after my reporting [the] dev center got closed. I have not heard anything from them, and they announced that they got attacked. My aim was to report bugs and collect the datas [sic] for the purpose of seeing how deep I can go with it.""
I'm not sure if he is running scared or if the video(screen recording log?) came first.
"The breach is the first known against any of Apple's web services."
Obviously 'No proof of concept' is ever allowed then.
I would hazard a bet that more than a few reading here would be in prison if so.
http://www.theregister.co.uk/2013/07/22/im_not_a_hacker_says_apple_bloke/
"ecurity market expert Graham Cluley has predicted that Apple may be tempted to take tough action to dissuade any other researchers from probing too hard."
That register report reminds me that Kaspersky was banned from IOS.
It does get rather strange when the only legitimate non Apple employee security researcher appears to be the career criminal.
"If the black helicopters take you away, can I have your laptop?"
The guys English is maybe not great but makes it easier to see why he had now panicked.
all companies have problems, no one is perfect, we know
A missing Howard Hughes seems more forthcoming.
You can't ever 'join all the dots' with Apple which always makes for great fascination. And Apple defending us all against the bad little good guy is a bit more surreal than usual.
Contrast that to Microsoft who read far more like an open book.
If it was hate I'd probably have been reading and posting in the fairly preposterous iPhone electrocution topic.
Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.
In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.
Well that made for interesting reading. Just Maybe Balic actually had nothing to do with it.
And the fact that they never acknowledge anyone, at least without a visit from the police. could be his saving.
That array of 13 security holes, on different servers, reported over several days was wide ranging left enough to think that Apple is always swarming with intruders. The one he demonstrated looked on a different server in iAds where he could return names and addresses, not just developers but he thought them as standard regular Apple gadget users. So maybe just a coincidence and Balic understandable panicking?
A connection from there to this developer server would obviously be for iAd payments IDs.
Whatever, it looks like they are certainly trying to clean up some major disaster.
The 'intruder' detection quite is probably true on any particular day so maybe it was just a wrong sized spanner from Amazon, Microsoft or whoever runs/owns the Apple developer server.
BTW they have since removed the iAd adduser function that that might have simply returned regular iTunes users names and addresses so again, likely a separate issue there
" It's no secret that Apple's developer portals are a mix of outdated, crappy technologies, and it seems that this security researcher did good work by making that fact very, very clear for everyone. "
http://www.osnews.com/story/27206/Researcher_claims_he_told_Apple_of_Developer_Center_vulnerability
They do use a whole hotchpotch of stuff including Google software.
https://developer.apple.com/support/system-status/
https://developer.apple.com/
A wicked accidental a sense of humour there.
Now we get a 'this dial goes up to 15'. Bug reporting was seemingly working anyway.
The developer forum will certainly let off a certain amount of NDA steam when it opens and they get beyond what really looks like a data loss catastrophe.
There is also a fair chance they bulldozed badly through, not realising they had a bug report in front of their nose that could called back that slightly misbehaving bulldozer.
So lets lay this story out.
Some time last week a chap that identifies himself as a "security researcher" found a vulnerability in Apple's Developer facing technologies and filed bug reports and a detailed analysis of how he used that vulnerability to extract the details of up to 100k developers and or users from Apple's systems. By way of proof he analysed the data and extracted and submitted back to Apple the details of 73 accounts claimed to be those of Apple employees.
So far, so good.
He, you and me have absolutely no idea how Apple responded to, or used that data.
After the "security researcher" published his technique on Youtube (video since withdrawn) Apple takes action, by shutting down the entire Apple Developer areas of their website.
The "security researcher" stole data, there is absolutely no way at all to ensure that he did not leak, sell or exploit that data, and because he did not get his taint tickled by Apple he published his methodology.
Apple have absolutely no choice but to shut down their systems at this point. Anyone, and there are a few that post here, who look after similar systems would have done exactly the same; shut the system down until sure that the "security researcher" has not compromised further systems or sold, or leaked or exploited data.
Alanwaric, we understand you hate Apple, but if you had the first clue about data security you would understand exactly what happened.
There is little else to 'comprehend' unless we spin more, apart from that at 7 days Apple gave us that status picture to say "hey give us a break, we are trying our best".
That would suggest hardware failures for a start.
What they have is a software exploit that could expose corporate and / or personal data, and so took the decision to shut their systems down to ensure no more data was stolen or exploited.
It simply does not compute. What is also fascinating is that a short while before this problem, a brand new interfacing came up, but it got pulled fairly quickly.
That is what normally happens in 'down for maintenance'. Up pops something new so just maybe they got stuck half way though. Obviously in reporting an intruder they would then have been telling us about that security report Balic sent.
Again, my last statement is as much as we really know. Systems are down. BTW your timeframe in the last comment works out all wrong. And at 7 days I do feel the use of the word 'catastrophic' quite justified.
Now tell me how you separate private discussion areas from accounts tied to developer accounts?
Now convince me the "security researcher" did not pass details to third parties?
Nice politics.
Or, you could answer the question.
Of course I could answer the question. I could even tell you I get my code fixes in 5 times faster than my competitors.
But it means zilch if it is not relative..
Is it any wonder no one responds to your ramblings?
I need to ask this, but just to be sure, is English your first language?
The timeline ain't just wrong, you are all jumbled to hell.
Seriously, all we can see is that the Balic guy is a convenient fall guy !
Now go and read up properly.
Balic is now a fall guy?
Have you ever, ever, worked in the industry?
You do not expose or admit to to fault UNTIL such time you have managed to plug the hole.