While the "intruder" who accessed the Apple Developer Center turned out to be just a curious penetration tester, attacks against developer sites can have serious consequences beyond just stealing personal information.
Apple shut down its Mac, iPhone, and iPad developer Website last Thursday, saying it was performing unscheduled maintenance. It provided no other information, and developers grew increasingly worried about the prolonged outage. With the portal down, these developers could not work on new code, check on the status of their existing apps, or manage their accounts.
"Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website," Apple finally told developers via email Sunday evening. While sensitive information was encrypted and was not accessed, the company said "some developers' names, mailing addresses, and/or email addresses may have been accessed."
Not a Malicious Attack?Ibrahim Balic, a London-based penetration tester, took exception to being called an intruder. Companies regularly hire Balic to try to find vulnerabilities in their systems, and he recently decided to take a look at Apple's sites. He found 13 bugs in total, all of which were reported using the online bug reporter, he said. Four hours after his last bug report, the portal was taken down.
"Apple!! This is definitely not an hack attack !! I am not an hacker, I do security research," Ibrahim Balic wrote on Twitter.
Balic said Apple had not responded to his bug reports. "I did not done this research to harm or damage," he said in a comment posted on TechCrunch. He created a YouTube video to show how he had accessed developer information, but took it down after realizing that he hadn't obscured the names and details of the individual developers.
Why Target Developers Anyway?
Balic may not have intended anything malicious during his foray into Apple's servers, but developers are increasingly being targeted. Canonical disclosed that its Ubuntu forums were breached over the weekend. These attacks aren't so different from attacks on any other site. As in previous incidents, these users are now at risk for social engineering attacks such as fake password resets. Attackers may also attempt to log in to other sites with the stolen credentials.
Balic may not have intended anything malicious during his foray into Apple's servers, but developers are increasingly being targeted. Canonical disclosed that its Ubuntu forums were breached over the weekend. These attacks aren't so different from attacks on any other site. As in previous incidents, these users are now at risk for social engineering attacks such as fake password resets. Attackers may also attempt to log in to other sites with the stolen credentials.
Developer portals are "hubs" with users from many different organizations, said Mike Lloyd, CTO of RedSeal Networks. The attacker may not be interested in the actual data stored on the developer site itself, but rather the login credentials that may work on other sites, Lloyd said. "If you can compromise the account details on a hub site, the odds are good that you now have valid logins for a large number of other companies," Lloyd said.
Earlier this year, an iOS developer forum was compromised and infected employees at Twitter, Facebook, and others with malware. Attackers targeting the Apple developer site could be interested in launching watering hole attacks to target developers at other companies, said Lee Weiner, senior vice-president of products and engineering at Rapid7.
Attackers with stolen Apple developer accounts would be able to upload potentially malicious applications under the compromised developer's name, said Michael Sutton, vice-president of security research at Zscaler.
Since the accounts have the developer's signing certificate for approved apps, there is the danger that attackers may sign malicious apps using the legitimate certificates, said Tommy Chin, technical support engineer at CORE Security. "Fake authenticated apps in the Appstore will appear if Apple doesn't keep the portal down until it's fixed," Chin said.
"The attack comes at a bad time for Apple as it has forced them to take the developer portal offline as developers are preparing applications for iOS 7, slated for release in the fall," Lloyd said.
Nenhum comentário:
Postar um comentário