Developer Center Downtime
Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.
Nick Arnott interviews Ibrahim Balic:
With altered web requests, Balic found that by only providing a single piece of user information, first name, last name, etc., he was able to get Apple’s servers to return additional information for a matched user account — specifically full name, username and email address.
[…]
So if the bug was in iAd, why does Balic believe he might be responsible for the developer portal outage? Of the 13 bugs that Balic filed with Apple, one of them was a XSS (cross-site scripting) vulnerability in the developer site that could have led to accounts being compromised. In fact, of the 13 total bugs, 12 of them were XSS vulnerabilities in various Apple services that had the potential to expose user details.
Update (2013-07-24): They’ve added a system status page.
Update (2013-07-28): Sites are reporting that the ADC Web site is back up, although the status page shows that Xcode Automatic Configuration (presumably necessary to install the command-line tools), Pre-Release Documentation, Videos, Member Center, App Store Resource Center, Program Enrollment and Renewals, Apple Developer Forums, and Technical Support are all still down.
Update (2013-08-10): All the services are back online.
Update (2013-08-21): Juli Clover (via John Gruber):
Apple has released new details (via @cabel) on the security flaw that caused the Developer Center to be down for more than a week, noting via its Apple Web Server notifications page that a “remote code execution issue” was fixed.
[…]
While security researcher Ibrahim Balic speculated that he might have been behind the security breach, it is now clear that the issue he reported was unrelated to the major flaw that caused the downtime.
3 Comments RSS · Twitter
• I don't really care that bugreporter is down. It is down most of the time anyway. What with version 2.0 BTW? Has it been trashed?
• I don't really care that the dev forums are down. 50% of the time, you do not find/get an answer.
• But I do care about the videos and download sites being down. As there's no alternative source to get them.