Dev Site Security Hack: Apple’s Disclosure Headache

| Analysis

Apple shut down its Mac, iPhone, and iPad developer website last Thursday saying it was performing unscheduled maintenance. Emails saying the maintenance was the result of a security breach were sent to developers over the weekend, and as of Monday morning the site was still down. Good on Apple for keeping developers in the loop, but should they have been given the whole story earlier?

Apple waited three days before warning developers of data breachApple waited three days before warning developers of data breach

Developers were greeted with a "We'll be back soon" message Thursday afternoon without any hint about the security breach. That breach, it turns out, involved someone attempting to hack into the developer account database -- news that didn't make its way to developers until Sunday evening.

That email stated in part,

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers' names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

Apple said it has been in the process of "completely overhauling our developer systems, updating our server software, and rebuilding our entire database."

The company's carefully selected words in its message to developers also included "cannot" when referring to the ability to hack into personal information. That's a big thing because what Apple is saying is that even if someone does obtain personal information from the database, there simply isn't any way for it to be decrypted. In other words, sensitive developer account information is safe even if it falls into the wrong hands.

Even though it did take a few days for Apple to get the whole story to developers, at least they finally did. That doesn't mean, however, that developers weren't left wondering exactly what was happening. In fact, they were left in the dark for about three days.

While Apple is saying that it hasn't ruled out the possibility that some information was taken, one man who claims to be a security researcher said he actually has developer account data. Ibrahim Balic shared a video link on Twitter with proof he has user account information. While he does show user names in his video, there isn't any indication that he also gained access to account passwords or other sensitive information.

 

 

Apple spokesperson Tom Neumayr also told AllThingsD, "The website that was breached is not associated with any customer information," and that, "customer information is securely encrypted."

Apple was left in a position where executives had to choose between the lesser of two evils: Disclose the attack to developers immediately and face questions about why there wasn't any more information available, or wait a few days until they could provide some real answers. Had Apple revealed what it initially knew, which was likely "there's been an attempted hack, but we don't know if anything has been taken," the company would've been faced with a accusations of incompetence since the answers to many questions would've been "I don't know." By waiting a few days, Apple was able to learn more about exactly what happened and offer developers a more complete answer.

Apple's email warning developers about the security breachApple's email warning developers about the security breach

Withholding information about security breaches leads to distrust and a loss of confidence, and that's a lesson Sony learned the hard way. In spring of 2011, hackers downloaded user account information for millions of PlayStation Network members -- including credit cards and password -- and withheld the news from users for several days. Users and the media responded just as you'd expect: with anger and frustration.

Apple's developer data breach doesn't look to be nearly as serious as Sony's, and information about what happened was released within three days instead of after more than a week. Apple may have to deal with some anger for that delay, but in the end waiting was the right thing to do. Developers have more information about what's happening, and Apple doesn't have to deal with ongoing questions it can't answer.

Apple may have a black eye over this data breach, but it isn't as bad as it could've been had the company come forward last Thursday without any real information to share. It's all about damage control, and while Apple will have to deal with some public backlash, it could've been far worse for the company. This time, waiting was the right thing to do.

Comments

Mike Weasner

Whenever I hear about credit card company security breaches I wonder what server OS they are running (probably Windows) and whether it was fully up-to-date on security patches. I always wish that companies who have my data would be more upfront about such breaches, in particular what OS they are using to protect MY data and why it was not current on security updates (if that’s the case).  In the case of Apple’s breach, I wonder the same thing.  Was this a Windows, OS X (WebObjects?), Linux, Unix, or something else system that was hacked?

Joe Aiello

No, waiting to share information on a security breach is Always a bad idea.  It’s been reported that some Developers have received bogus ‘password reset’ emails.  How many anxious developers provided their credentials hoping to get back in on Friday, or Saturday, or Sunday?

Had Apple simply said:
There was a breach and all users should be suspicious of any messages referring to the Developer Site or User Passwords.  More information will be released after discussions with law enforcement.

If that was released ASAP, the community would have known to be suspicious of phishing emails.  I’m sure this delay led to at least one person to accidentally provide hackers with credentials related to an app store app….

Lee Dronick

Is the Black Hat Conference this week?

pjchooch

@Mike:  Really?  You think Apple might be using Windows servers?  Really?

haywire

That guy has a rather cool website over here:

http://balicbilisim.com

Just scroll the page all the way to the bottom to see where they hack from.

Lee Dronick

Never click on a link in a email that tells you to reset your password and such. Manually enter the URL, or from your bookmarks.

BurmaYank

 

Balic’s full comment and a video he posted on YouTube appear below:
“My name is ibrahim Balic, I am a security researcher. You can also search my name from Facebook’s Whitehat List. I do private consulting for particular firms. Recently I have started doing research on Apple inc.
In total I have found 13 bugs and have reported through http://bugreport.apple.com. The bugs are all reported one by one and Apple was informed. I gave details to Apple as much as I can and I’ve also added screenshots.
One of those bugs have provided me access to users details etc. I immediately reported this to Apple. I have taken 73 users details (all apple inc workers only) and prove them as an example.
4 hours later from my final report Apple developer portal gas closed down and you know it still is. I have emailed and asked if I am putting them in any difficulty so that I can give a break to my research. I have not gotten any respond to this… I have been waiting since then for them to contact me, and today I’m reading news saying that they have been attacked and hacked. In some of the media news I watch/read that whether legal authorities were involved in its investigation of the hack. I’m not feeling very happy with what I read and a bit irritated, as I did not done this research to harm or damage. I didn’t attempt to publish or have not shared this situation with anybody else. My aim was to report bugs and collect the datas for the porpoise of seeing how deep I can go within this scope. I have over 100.000+ users details and Apple is informed about this. I didn’t attempt to get the datas first and report then, instead I have reported first.
I do not want my name to be in blacklist, please search on this situation. I’m keeping all the evidences, emails and images also I have the records of bugs that I made through Apple bug-report.”

If Balic’s assertion is true, and his hack DID provide him with ”...access to users details etc. ...(enabling him to take)  ...73 users details - all apple inc workers only - and prove them as an example.”, then Apple’s promise that any taken info was too deeply encrypted to be decipherable was false.

I believe Balic’s claim is utterly false, because it seems much more unlikely that Apple was not telling the truth than that Balic wasn’t.

haywire

Lee,

That’s not an email. It’s a hyperlink to their website.

Lee Dronick

Haywire, I was referring to getting an email that tells you to update your password. So you click on a link in the email that goes to a phishing hole.

Log-in to comment