A Strange Hack at Apple’s Developer Center

Today the news of the hacking of resources at a major IT company does not really come as a surprise to anyone. Unfortunately, attacks like this now happen more often

Today the news of the hacking of resources at a major IT company does not really come as a surprise to anyone. Unfortunately, attacks like this now happen more often than we would like, and Apple Inc. recently became one of the latest to fall victim to this type of hack, although the story is somewhat ambiguous, if not strange.

Around July 18th, Apple’s Developer Center for iOS and Mac OS X developers suddenly shut down. Everything was down, including both the site and the forums, and the main page sported a notice saying it was “undergoing maintenance.”

Only after three days had passed did Apple officially acknowledge that the site might have been hacked. Registered users received the following letter from Apple:

“Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer site up again soon.”

Later, Apple’s representatives repeated to the press that the presumed hacking had only affected their developers’ accounts; regular iTunes users were not involved and there was no leaking of credit card information. The three-day silence was, they said, necessary for Apple’s administrators to assess the scale of the attack.

On July 22nd Ibrahim Balic, who calls himself a private security researcher, appeared to comment on a TechCrunch article, declaring himself the hero of the day.

He said that he invaded the Apple Developer site purely for research intentions and found a lot of bugs within it:balic

“In total I have found 13 bugs and have reported them through http://bugreport.apple.com. The bugs are all reported one by one and Apple was informed. I gave details to Apple as much as I can and I’ve also added screenshots.

One of those bugs provided me access to users’ details etc. I immediately reported this to Apple. I have taken 73 users’ details (all Apple Inc workers only) and used them as an example.”

“My aim was to report bugs and collect the data for the porpoise of seeing how deep I can go within this scope. I have over 100.000+ users’ details and Apple is informed about this. I didn’t attempt to get the data first and then report it, instead I have reported first.”

Balic later explained in an interview for iMore that he got the user data not from a developer portal exploit, but instead acquired it from Apple’s iAd Workbench, a tool that lets users create targeted iAd campaigns. With altered web requests, Balic found that by providing only a single piece of user information, first name, last name, etc., he was able to get Apple’s servers to receive additional information for user accounts — specifically full names, usernames and email addresses.

To better understand the extent of the vulnerability, Balic wrote a Python script that generated random users to throw at Apple’s servers in order to get the servers to respond with more account information whenever there was some sort of match. The servers gave him (sic) the data of a 100,000 users. Of those records, Balic included 73 in his bug report to Apple, all of which belonged to Apple employees.

So if the bug was in iAd, why does Balic believe he might be responsible for the developer portal outage? There is no direct explanation for this. Of the 13 bugs that Balic filed with Apple, one of them was an XSS (cross-site scripting) vulnerability in the developer site that could have led to accounts being compromised. In fact, of the 13 total bugs, 12 of them were XSS vulnerabilities in various Apple services that had the potential to expose user details.

Balic received heartfelt thanks from Apple later about the bugs he’d filed. However, he does have reasons to fear being involved with a police investigation since he recorded and posted a video on YouTube in which viewers could see a terminal window with a script harvesting the servers of Apple. He never explained why he did it, but he did end up taking the video down.

There is a hypothesis that Balic’s activity simply coincided with an attack of some other intruders. This theory was justified by developers who started receiving multiple requests for password changes on their accounts. Theoretically, those could have been attempts at taking control of their accounts. According to some reports the requests began to come in before July 18th.

Balic says he had nothing to do with those queries, and the information that his script managed to gain access to would not let anyone seriously compromise user accounts.

So far the results of the story are as follows:

  • There are serious flaws in Apple’s resources, and the company’s administrators are not fixing a single one.
  • Critical user data stored on Apple’s servers was encrypted (at least, according to Apple).
  • The actual alteration of the whole architecture of Apple’s Developer Center shows that a very serious problem exists, which cannot be fixed by a simple facelift. It is still in question whether or not these problems were brought to light by Balic.
  • Even though it proclaims to have “a spirit of transparency,” Apple has not shared much about the situation and no one can really say what actually happened. Being secretive in this type of situation is expected, but not necessarily the best move.
  • For a long time, only the main page and the notification form about vulnerabilities worked on Apple’s Developer Center, which Balic, as he wrote on his twitter account, managed to use while likely founding another flaw related to cross-site scripting. The site has since been restored to full operation.

Break-ins are always bad for a company’s reputation. In this case, however, it’s still a mystery if there was a break-in at all. Or maybe the discovered vulnerabilities just scared Apple’s officials so much that they decided to reconstruct everything. The second option seems less likely, simply because even a service outage could damage their reputation. Apparently, they chose the lesser of two evils.

Although at the moment there is no information on the actual situation, Ibrahim Balic eventually took responsibility for what happened to Apple’s Developer Center. Thus, it appears that the harm was done, whether directly or indirectly, by no malicious criminal but by an enthusiast, who was acting with good intentions.

Companies with any significant amount of IT infrastructure should consider setting up contacts with enthusiasts who search for vulnerabilities and are ready to report them. The more straightforward and universally comprehensible a procedure is (a notification form in a separate section of the site is ideal), the better both sides fare.