A group of hackers calling itself the YGA Ethical Hacker Group (YGA) has said that it had identified security holes in Apple Inc.’s developer website that could a malicious hacker to launch phishing attacks against Apple developers, tricking them into divulging their Apple ID login information. Unsatisfied with that it feels is Apple’s slow response, the group has threatened to disclose those security holes in a few days.
At issue is that YGA said found a “vulnerable code portion in developer.apple.com [called] URL Redirection to Untrusted Site (‘Open Redirect’),” according to Networkworld. Turning to the Common Weakness Enumeration definition from MITRE for this term, we learn that:
“By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.”
In other words, a link to Apple’s Developer Connection can currently be crafted so that it redirects to another site on an another server, and that site or webpage can be crafted by the bad guys to look like Apple’s site, and it will even show as an apple.com URL. If the developer then try to log in using their Apple ID logins, they will have given the bad guys those credentials.
YGA said that it warned Apple on April 25th about the vulnerability, and that Apple even acknowledged the problem on April 27th, telling the group, “We take the report of a potential security issue very seriously.”
This is unusual compared to Apple’s historical reputation for not acknowledging security reports until it was ready to fix them, but Apple has been much more aggressive in tackling security problems since Window Snyder was brought in to the company in March of 2010 to be Apple’s Senior Product Manager for Security. Since that time, Apple has been far quicker in responding to security reports in its operating systems.
Be that as it may, YGA said that it believes the holes have not yet been repaired, and that this is unacceptable. If Apple doesn’t patch the holes in the news few days, the group said that it will detail the security flaw on Apple’s Developer Connection through the Full Disclosure Mailing List, an “unmoderated high-traffic forum for disclosure of security information.”
This is the same tactic the group used to pressure MacAfee earlier this year when that company was slow to respond to a security report from YGA. The group feels that companies, especially companies involved in security or technology, should be more aggressive in operating secure websites, and that they have a larger responsibility to do so.
Other security researchers have taken similar paths in dealing with security holes in Mac OS X and iOS in the past. Frustrated with what they have seen as Apple’s slow response to their reports, some have taken to disclosing them in order to pressure Apple, as well as other companies, to fix them. As noted above, such complaints appear to have quieted since Ms. Snyder joined Apple.