Hacker Group Says Apple Developer Site Vulnerable to Phishing

| News

Apple Inc.A group of hackers calling itself the YGA Ethical Hacker Group (YGA) has said that it had identified security holes in Apple Inc.’s developer website that could a malicious hacker to launch phishing attacks against Apple developers, tricking them into divulging their Apple ID login information. Unsatisfied with that it feels is Apple’s slow response, the group has threatened to disclose those security holes in a few days.

At issue is that YGA said found a “vulnerable code portion in developer.apple.com [called] URL Redirection to Untrusted Site (‘Open Redirect’),” according to Networkworld. Turning to the Common Weakness Enumeration definition from MITRE for this term, we learn that:

“By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.”

In other words, a link to Apple’s Developer Connection can currently be crafted so that it redirects to another site on an another server, and that site or webpage can be crafted by the bad guys to look like Apple’s site, and it will even show as an apple.com URL. If the developer then try to log in using their Apple ID logins, they will have given the bad guys those credentials.

YGA said that it warned Apple on April 25th about the vulnerability, and that Apple even acknowledged the problem on April 27th, telling the group, “We take the report of a potential security issue very seriously.”

This is unusual compared to Apple’s historical reputation for not acknowledging security reports until it was ready to fix them, but Apple has been much more aggressive in tackling security problems since Window Snyder was brought in to the company in March of 2010 to be Apple’s Senior Product Manager for Security. Since that time, Apple has been far quicker in responding to security reports in its operating systems.

Be that as it may, YGA said that it believes the holes have not yet been repaired, and that this is unacceptable. If Apple doesn’t patch the holes in the news few days, the group said that it will detail the security flaw on Apple’s Developer Connection through the Full Disclosure Mailing List, an “unmoderated high-traffic forum for disclosure of security information.”

This is the same tactic the group used to pressure MacAfee earlier this year when that company was slow to respond to a security report from YGA. The group feels that companies, especially companies involved in security or technology, should be more aggressive in operating secure websites, and that they have a larger responsibility to do so.

Other security researchers have taken similar paths in dealing with security holes in Mac OS X and iOS in the past. Frustrated with what they have seen as Apple’s slow response to their reports, some have taken to disclosing them in order to pressure Apple, as well as other companies, to fix them. As noted above, such complaints appear to have quieted since Ms. Snyder joined Apple.

Comments

ilikeimac

If the bad guys then try to log in using their Apple ID logins, they will have given the bad guys those credentials.

Um, yeah. Those bad guys will fall for anything, even their own scams.

[Edit: Also, you mean “repaired” not “prepared” in “YGA said that it believes the holes have not yet been prepared”.]

Lee Dronick

If Apple doesn?t patch the holes in the news few days, the group said that it will detail the security flaw on Apple?s Developer Connection through the Full Disclosure Mailing List, an ?unmoderated high-traffic forum for disclosure of security information.?

Well that is grown up of them.

Ethical Commenter

Yes, very ethical group. Their name says it all. Ethical group…

If they were not an ethical group they would publish publicly their findings… wait!

Bryan Chaffin

Thanks for catching the typos, ilikemac. smile

Conan

> If Apple doesn?t patch the holes in the news few days,...

Typo… it should be:
“If Apple doesn?t patch the holes in the next few days,...”

Mikuro

Isn’t this pretty much standard practice for security firms? Give the company fair time to fix the problem before publishing your findings. Two months is fair time.

Lee Dronick

Isn?t this pretty much standard practice for security firms? Give the company fair time to fix the problem before publishing your findings. Two months is fair time.

I disagree. They shouldn’t say anything public or private about the vulnerability other than informing Apple. It will be fixed as soon as possible and that may take more than 60 days.

Mikuro

I disagree. They shouldn?t say anything public or private about the vulnerability other than informing Apple. It will be fixed as soon as possible and that may take more than 60 days.

I understand your perspective, and part of me agrees. However, whether they publish it or not, the vulnerability is still there and who knows who else might already know about or re-discover it independently.

Corporations sometimes need a fire lit under their asses, and users need to be informed so as to be able to protect themselves.

But maybe 2 months is less than the normal time? I’m not sure what precisely is the standard practice in the industry.

Lee Dronick

My feeling is that publishing this news only encourages script kiddies, for lack of a better term. I am sure Apple is not ignoring the threat and don’t need the blackmail.

Log-in to comment