Security Breach Knocks Apple for an Infinite Loop
It seems security researcher Ibrahim Balic would have been happy with a thank you and perhaps an Apple t-shirt in return for notifying the company of a baker's dozen of vulnerabilities on its dev forum. But no. As he tells it, Apple didn't even give him the courtesy of a reply but instead shut down the site. Apple has admitted the forum was hacked and said it was "rebuilding" its database.
Jul 22, 2013 5:10 PM PT
Three days after Apple took down its developer website claiming it was performing unscheduled maintenance, the company emailed devs admitting the site had been hacked and some data may have been stolen.
It also posted a message on the site stating that some developers' names, mailing addresses and email addresses may have been exposed, but that sensitive personal information was encrypted and could not be accessed.
Apple made the announcement in the spirit of transparency, it said, an issue that has been getting a lot of attention lately. Like other tech giants, Apple has argued for transparency in demanding the federal government let it tell customers what data is being requested by the NSA for its PRISM surveillance program.
Apple's dev forum hack may have been the work of security researcher Ibrahim Balic, who tweeted that he was responsible for the breach and posted a video on the Internet showing personal data on devs accessed during the break-in. Balic contacted Apple to inform it of the site's vulnerabilities but got no response, he said.
Balic has since retracted that video and posted another on his personal website complaining about Apple's reaction to his efforts.
Apple did not respond to our request for further details.
What the Fuss Is About
Apple has 275,000 registered third-party developers of Mac, iPhone and iPad apps signed on to its dev portal.
Balic found 13 bugs and notified Apple of them all, he claimed, explaining that his intention from the start was to find and report weaknesses for Apple's benefit as he has done for other tech companies, including Facebook and Opera.
However, some devs had apparently received password resets against their Apple ID, which could indicate attempted exploits.
Apple is completely overhauling its developer systems, it said, updating its server software and rebuilding its entire database to prevent further breaches. Devs whose program membership expires while Apple is refurbishing its developer portal will have their membership extended, and their apps will remain in the iTunes app store.
Apple's Crisis Management
Apple's delay in notifying devs has been likened to Sony's actions when its PlayStation network was hacked in 2011.
However, while Sony's tardiness in notifying users of its website hacks outraged users and eventually led to demands for an explanation by Rep. Mary Bono Mack, R-Calif., opinion is divided about Apple's belated response.
"Without knowing the extent [of the breach], it's impossible to conjecture whether Apple was wise to shut out users," Steven Bristol, cofounder of Less Accounting and a developer himself, told MacNewsWorld.
On the other hand, "I think Apple may have had a bit of a mixup in letting it go so long and bringing down the site for so long with fixing it," remarked Michael King, director of enterprise strategy at Appcelerator.
The Worm in Apple's Core
The delayed response has sparked questions and possibly stoked the embers of discontent.
"This is one more thing against Apple," King told MacNewsWorld. "The 30 percent that Apple takes [of app revenue] doesn't sit well with everyone -- and there's an option because there's a fair amount of interest in Android."
Developers "won't leave Apple for this, but they'll look at other opportunities," King suggested. "It's never going to be one thing that kills you -- it's lots of little things."
One of those little things could be the phrasing of Apple's statement.
"My biggest concern as I read the reports is that Apple is taking time to rebuild their database," Bristol said. "Databases simply do not need to be rebuilt; that's not how they work."
Apple's statement could be "a poor use of language by a non-technical person," Bristol speculated. Or, it could mean that Apple's now encrypting all the data in the dev portal, or that the attack damaged data so some or all of the database is being restored from the backup.
Still, "I don't see developers or companies fleeing Apple over this -- they will go or stay where the customers are," Bristol opined.
Companies with a BYOD program, as well as smartphone users, need to be on the alert.
"Mobile will increasingly become a more popular attack vector as the devices increasingly house more of our information," Jason Wong, director of product marketing at SilverSky, told MacNewsWorld, "and security is more lax than on desktops and laptops in terms of both user behavior and software protection."