Monday, 29 July 2013

Apple Developer Portal Back Online, Partially

Sad Mac
Good news for Apple developers: The Apple Developer Portal is partially back online.
Apple took the portal, used by developers who write applications for iPhones, iPads, and Macs, offline on July 18 without any explanation. A few days later, Apple said an intruder had "attempted to secure personal information" from the site. To "prevent a security threat like this from happening again," the company said it would be "completely overhauling our developer systems."
While the main website site was restored late Friday afternoon, as of Saturday afternoon, eight of the 15 sections remain offline, according to the portal's system status page. The iOS, Mac and Safari developer centers, iTunes Connect, and the bug reporting system were restored. Others, including documentation, technical support, developer discussion forums and the member center, remained offline.
"Certificates, Identifiers & Profiles, software downloads, and other developer services are now available," Apple said in an email to developers and on the developer update page.
With software downloads back online, developers have access to the latest betas of iOS 7, Xcode 5, and OS X Mavericks again. The portal is used by Apple's community of developers—nearly 6 million in all—to develop software for Apple's platforms.
Data Exposed
Apple took the site down immediately after detecting the intrusion, and assured its developer community that sensitive personal information had been encrypted and could not be accessed. However, names, mailing addresses and email addresses may have been accessed, Apple warned.
Hours after the company announced the breach, penetration tester Ibrahim Balic said he'd uncovered multiple vulnerabilities in the portal which led to the breach. Rather than being an intruder, he claimed he had reported the bugs he'd found to Apple. The portal went offline shortly after he made his last submission, Balic said.
Apple has not commented on Balic's claims, nor provided additional information about the incident.
Was is Really Balic?
A Guardian report cast doubt on whether or not Balic was actually responsible for the outage. Balic had provided the publication with email addresses of 19 individuals he had obtained from the Apple site. Guardian also obtained information for 10 additional individuals from a YouTube video Balic had originally created to show how he had breached the site. (The video is no longer publicly available).
The Guardian was unable to contact any of the 29 people. Seven email addresses bounced, and none of the remaining recipients responded to the Guardian's queries as to whether they were registered with Apple. "It's almost as though these are long-discarded ghost email addresses from year ago or have been used by Balic in his video for reasons best known to himself," Graham Cluley, an independent security consultant, told the Guardian.
Regardless of whether the hack was carried out by Balic or some other unknown intruder, this is a significant breach. Apple is clearly taking the incident seriously, by rebuilding the portal one service at a time. The site looks pretty much the same as it did before it went offline, so any major changes and updates would be on the back-end systems. The remaining systems will likely come back online over the next few days as the team finishes rebuilding them.

No comments:

Post a Comment