Establishing Digital Trust: Don't Sacrifice Security for Convenience
Apple's developer site is offline, thanks to a breach.
According to Apple, the breach occurred on July 18.
"Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website," Apple advised. "Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed."
Apple is now overhauling its systems and security procedures to prevent a future similar occurrence. In a YouTube video that has now been marked as private, researcher Ibrahim Balic took responsibility for the attack.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Sophos security researcher Chester Wisniewski, told eSecurity Planet that he was a little surprised by the Apple developer website hack. "Apple has some of the best security and IT people in the industry, so they were not on my shortlist to wake up to this morning," he said.
Wisniewski questioned Ibrahim Balic's decision to reveal the vulnerability via a YouTube video.
"Aside from what his intentions are, it is a serious crime," Wisniewski said. "You don't rob the bank and then make a video with the loot saying 'Told you so! You are vulnerable to being robbed.' Doesn't usually end well for either party."
Ken Westin, security researcher at Tripwire, told eSecurity Planet that it looks like vulnerabilities allowed access to developer data, but consumer data does not appear to have been compromised.
"However developers' usernames and passwords are shared across both the developer portal and iTunes accounts, so it would be wise for developers to change their passwords," Westin said. "It appears that sensitive data was encrypted; however we are not sure exactly which information was encrypted -- Apple is not providing a lot of information at this point."
For developers, Wisniewski also suggests that they consider how much information they need to share with Apple.
"Don't share unnecessary personal details with companies, trusted or not, unless you absolutely need to," he said. " I am not an Apple developer so I cannot speak to there being a reason to have given your mailing address to them or not, but usually I do not disclose any real life details unless I am getting a loan or paying my taxes."
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.