Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Researcher Takes Credit for Security Breach of Apple's Developer Center
- Thread starter MacRumors
- Start date
- Sort by reaction score
If you can find where I am and get inside
. Only fools don't secure their valuables and I'm no fool.There's no need to use sarcasm. The point is if Apple didn't know about this and someone with more malicious intent had known about these issues without reporting it, it would've been a bigger mess.
Dev accounts hold valuable App Store info. Not to mention sensitive banking, tax and pricing details.
Not to knock your post or anything but you're assuming Apple never takes steps and measures on dealing with security. It was only the website that was hacked and I'm not saying it's no big deal but this would be more of a shocker if Apple was a security company. The LifeLock CEO's identity was stolen multiple times. That's something to raise an eyebrow over. Yahoo and Facebook's subscribers get hacked quite often, it doesn't mean they don't work on security, things can still happen.
Not sure if the information was actually encrypted, i.e., something in addition to SSL. SSL (https) just encrypts the connection, whether 128-bit or 256-bit I don't know. Passwords / credit cards (I would hope) are definitely hashed, and I would assume with a salt, so there's really no way anyone could actually get access to your account by signing onto the Apple developer site.
The guy (or whoever) just breached the entire system and got access to all the data (i.e., the database). Basically the attacker / researcher or whatever you want to call this person got a bunch of names and addresses or whatever was stored in the database that was not hashed / encrypted, which is probably most things except for passwords / credit cards. It is standard practice to hash passwords with a salt in the industry, but as has been seen with previous cases, i.e., Evernote, these practices are not always up to industry standards.
As an example, Evernote, the passwords were hashed with MD5 encryption (I believe) which is widely regarded as a TERRIBLE way to protect passwords or sensitive information. Even I developed a site and hashed passwords 10x better than MD5. The fact that a company such as Evernote used MD5 after anytime they became a "big" company is completely laughable and ridiculous.
Again, I have no idea what Apple uses, but if it's MD5, which I doubt, but if it is, then I have lost all faith in any security practices from Apple, and in turn, any data I have stored with them is at risk of getting breached from hackers. Again, that's if it's hashed with MD5.
I hope this is true. It is probably the best possible outcome.
Apple rapidly improves security but no actual harm results.
Scattered reports of password resets means nothing since they occur all the time anyway. It's just that now people can point at something that could be to blame. (Now, that doesn't mean there is no connection, but scattered reports isn't evidence of a connection.)
edit: now that I've seen this guy's youtube video, I'm more nervous.
He seems quite immature. I mean he claims not to have shared any information with anyone, but there it is in his video. Huh? I suppose hackers may always claim to be researchers... once they are detected?
Apple rapidly improves security but no actual harm results.
Scattered reports of password resets means nothing since they occur all the time anyway. It's just that now people can point at something that could be to blame. (Now, that doesn't mean there is no connection, but scattered reports isn't evidence of a connection.)
edit: now that I've seen this guy's youtube video, I'm more nervous.
He seems quite immature. I mean he claims not to have shared any information with anyone, but there it is in his video. Huh? I suppose hackers may always claim to be researchers... once they are detected?
Last edited:
You're equating a physical break in to a house being the same as a breach of online security... That is nearly as moronic as the car analogies computer enthusiasts try to use all the time while comparing hardware.
As far as we know he is telling us the truth. He found vulnerabilities and divulged them to Apple. He could have very easily taken as much as possible and gone off to sell the users information and metadata. Also, if he is telling the truth, Apple if they sue him, is going to set a very dangerous precedent (for itself and possibly others) as no one in their right mind would let them know about a security vulnerability in the future.
Again, this is assuming there is not another part to the story. However, the way things are going (I am talking overarching in the tech sector), I could just imagine Apple beating him to death anyway with a few lies and lawyers. Then parading about saying, "Look we destroyed the bad hacker...who let us know about a security issue that put your information at risk." Then some overzealous attorney general trying to make a name for them self will step in and put the harshest penalty on him... yeah this guy should have just not said anything.
I think what "had to happen" was it getting exposed to Apple. Because clearly Apple didn't know about this issue. I'm sure with their resources they have an entire department just on security for dev accounts but there's always these little bugs that manage to go unnoticed.
If you can find where I am and get inside
There's no need to use sarcasm. The point is if Apple didn't know about this and someone with more malicious intent had known about these issues without reporting it, it would've been a bigger mess.
Dev accounts hold valuable App Store info. Not to mention sensitive banking, tax and pricing details.
I think the point is this.. He's realized he got caught trying to get passwords.. then posted .. 'oh I'm an innocent for hire 'independent' security tester, don't mind me, Apple didn't ASK/Hire me, but thats OK, I have 100k user accounts now."
VERY fishy - Likely he had an agenda (1, to get his 15 minutes to get his name out there, (2, he got caught and is covering now.
Of course.. some just accept what people say at face value.. especially on the internet.. Lemmings R' US these days!
I think you should add quotation marks around the Researcher in the title. Or replace it with Idiot.
He claims that he has not spread the information to somewhere else. Is he necessarily speaking the truth? Also, is he not a hacker because he "alerted" Apple by intruding the system using a bug he found?
Now he's trying to rationalize his wrongdoing by providing evidence. He may be doing that because he doesn't want to be arrested. Exactly 10 people will sympathize with him.
He claims that he has not spread the information to somewhere else. Is he necessarily speaking the truth? Also, is he not a hacker because he "alerted" Apple by intruding the system using a bug he found?
Now he's trying to rationalize his wrongdoing by providing evidence. He may be doing that because he doesn't want to be arrested. Exactly 10 people will sympathize with him.
Last edited:
I've always had great luck when I report my bugs to Apple. The key thing they ask for is as much detail as possible.
instead of:
write:
extra details like hardware you were running, battery life, or plugged in, over wifi or 3g etc, etc.
all these little bits of details generally have prompted a request for additional information from an Apple Engineer, such as device logs, snapshots, or crash logs as needed.
in other words as detailed as possible, and the more the merrier.
I was prompted to reset the password for my developer Apple ID when logging into one of the developer sites (possibly iTunes connect) a week or two ago.
I thought it slightly odd at the time because I couldn't recall it ever expiring my password before.
Is it coincidence that this security breach happened a few days later?
People give bugreport such a bad rap...I've reported 10 bugs via bugreport and have gotten calls from Engineers, requests for more details - and a few bugs closed as duplicates.
I guess I've had a good experience in comparison to others...
Not really analogous.
It'd be like if somebody walked past my house when I wasn't home, noticed my front door didn't look like it was locked properly, turned the handle and opened it to make sure, then closed it and left a note letting me know that I need to make sure to lock my doors. It seems nefarious because he took user data, but that's common for security researchers. You take some info that proves that you did, indeed, gain access-- but you make sure that it's data that won't harm anybody or put anybody's privacy in jeopardy. If he just said, "Hey guys, I got into your database. No proof or anything though," his claim wouldn't hold a lot of weight.
EDIT: I agree with what some have said in regard to him informing Apple before attempting all of this. He definitely should have said something. Apple responded to the breach without taking any half measures, because for all they knew, it was done by somebody with malicious intentions. The downtime and confusion could have been avoided if they had been given some heads-up. The difference between white hatting and grey hatting like this can mean the difference between being thanked by the company in question or being sued into the ground by that company.
Last edited by a moderator:
Understandable, but developer's information was exposed so I'm not inclined to agree that it "had to happen". Maybe if something else in the company was hacked and expose such as projects they were working on then okay, but the developers don't deserve to be victims.
That analogy doesn't hold. This is more of an unsolicited external penetration test
probably the most effective test there is. Physically breaking and entering is obviously different man
And the fact that you are taking this at face value is just as moronic. As I posted this morning on another forum...you have to take this seriously. I have been in IT security meetings for last 3 hours on this. I work for a very large and well known company with a little over 10K iOS devices in use. While Apple says that the data wasn't compromised, we cannot take that chance. We now consider all certs (mdm, provisioning profiles, and csr) to be dead. We use a very large mdm platform to secure our devices and as of this morning that mdm cert on it is no longer valid. This for us is a real cluster****. As soon as we have access to our account we have to revoke the mdm cert, all provisioning profiles, all development certs.
OK, so possibly I was exaggerating slightly, but I do find the Apple bug report experience to be quite frustrating compared to others.
Aside from it's clunky and old fashioned interface, the most frustrating thing is that is isn't possible to search and check whether an issue has already been reported. This reduces the incentive to spend a lot of time creating a high-quality, detailed bug report when it could likely just get closed as a duplicate anyway.
The more open way in which Google handles bug reporting is far superior.
Not sure why you think your analogy is better. By his own admission he kept going to see how deep he could go. He wasn't just walking by, he was specifically testing the doors and windows. And when he found one that was open, he went inside and tried the locks on all the file cabinets. Then he opened one and made copies of its contents.
True that.
It takes AGES till reports get answered and when they do, the answers are disappointing more often than not.
I asked if they can implement ZFS or develop their own file corruption aware and preventive Filesystem along with other benefits known from ZFS.
See that? 2 options I asked for.
Their answer: ZFS is not owned by Apple.
NO ****.
Apple licenses a lot of technologies, so that statement in itself is completely moot AND ignored my second suggestion.
This is not only frustrating, it's disrespectful. Especially as I waited LITERALLY MONTHS for that reply.
**** that.
Glassed Silver:mac
Last edited by a moderator: