Screen Shot 2014-04-28 at 3.13.55 PM

Imagine our surprise when an email from a complete stranger showed up in our tips box containing the personal contact information—including cell phone numbers—of several 9to5Mac staffers, as well as a few high ranking Apple executives.

Last night Apple pulled the Developer Center offline for maintenance, but as is usually the case, no noticeable changes were visible when it came back up. As it turns out, the company was patching a very serious security breach that was discovered over the weekend, allowing anyone to access the personal contact information for every registered iOS, Mac, or Safari developer; every Apple Retail and corporate employee; and some key partners.

The issue was discovered by developer Jesse Järvi and brought to our attention on Saturday. A video of the exploit is below.  We ensured that the problem was reported to Apple and ran it up the ladder. Due to the critical nature of the problem, we would never reveal this type of flaw to the public until it had been dealt with and we had contacted Apple . As of last night, the hole has been patched. Keep reading for the full details of how the breach was executed and exactly what information was at risk.

Järvi has provided us with a full video walkthrough of how he exploited a hole in Apple’s Radar application, an internal program used by Apple employees to manage bug reports submitted through its bug tracker, to gain access to the full roster of registered Apple developers, even those in the free Safari developer program.

The first step in exploiting this hole was downloading the Radar application from Apple’s website. The program requires an Apple ID login to function, and that ID must be on a list of employees with access to the Radar app. Entering an invalid login causes the program to kick you out, but doesn’t cut off access to other tools contained within the software—including the people lookup function.

Opening a directory search and plugging in any piece of info, such as a name, phone number, or email address, and the application will promptly bring up a list of matches—no authentication required.

As we said earlier, this problem has now been patched by Apple. The company has not yet released a public statement on the bug, but did confirm to Järvi that it had been resolved. Apple is expected to issue a statement on the matter shortly and we’ll update when we get that.

Update: iMore notes that Apple has now removed the Radar app from the previous public download link.

Thanks to Dom Esposito (Youtube Channel) for editing out the Tim Cook details

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

29 Responses to “Apple patches another major security hole in its website that allowed access to all developer personal information”

  1. Jesse Järvi says:

    <3

    Like

  2. danbridgland says:

    Great work all! Would be nice too see Apple show some due respect and acknowledge the efforts of 9to5mac.

    Like

    • Jesse Järvi says:

      What about me :’(

      I sent an email to apple security team about this, and all I got was just arrogant canned responses. It made me really mad and sad.

      Like

      • You must be thankful that you are not in jail.

        What do you think if someone get a copy of you house key, and alarm code (and the one to have access is your housekeeper), then that person enter your house, make a copy of all your private stuff and upload it to YouTube, just to prove he can enter your house? Fun right?

        Like

      • Jesse Järvi says:

        It’s more like that every single key works in a lock.

        Like

  3. There is also a big security flaw in Android which directly affects the sim card. The only known fix is the put a sleeve around the sim. You can google it, they call the sleeve “iPhone”.

    Like

  4. Oi. Any way to tell if your creds got yanked, or is it pretty much a given?

    Like

  5. Waiting for an email from Apple acknowledging/informing on this…

    Whatever happened to responsible companies? Apple has, for almost 40 years, promoted itself as being a different kind of company. Yet, each and every time they get caught with their pants down, security-wise, they clam up even tighter than usual. Very sad. All devs should have gotten an IMMEDIATE mailing, even if Apple had NO INFORMATION of in-the-wild exploitation, warning of potential phishing attacks, social engineering attacks, etc. That is what RESPONSIBLE people do…they ADMIT when there is an issue and they are UPFRONT about it. Instead, an entire business day has come and gone, and I found out about something like this from 9to5. (Thanks, guys, not a kick to you…just not who I want to hear from after something like this.)

    Apple is acting more and more like a bunch of elitist politicians…lying, evading, dissembling. You can’t SAY you’re a different kind of company while acting just like all the rest of the trash, at least not do so and expect people to believe it for long.

    Like

    • Tallest Skil says:

      Thanks for the FUD.

      Like

    • Really? You want to be made aware of every single vulnerability in every single piece of software you run whether there’s been a credible leak of information or not? You want to tell everyone else that information is freely available before the bug has been fixed? Are you crazy or just bored?

      Like

    • Can you calm down? The article said Apple has not –> YET <– made a statement on the security flaw. So before you go again bad mouthing Apple, think about what you are doing because you are seriously overreacting right now. Like Apple can't just wake to talk about anything related to their company just because you want them to.

      Like

    • And they come out of the woodwork…the fanboi apologists, led by Tallest Skil.

      I want to be told, @jkichline, when my personal information has been compromised. Not every piece of software I run has my email address, my mailing address, my telephone number, etc, much less that information for employees who I, competitively, don’t want others to have. The bug has been fixed now for several days, still no notification. 9to5 publishes it (and good for them), still no peep from Apple. The information could be being exploited NOW. Which goes to @Shadowelite0523…how long do you want me to wait? I understand that your limited grasp of how things work might make it unintuitive, but Apple has the means to IMMEDIATELY communicate a warning to the very email address that they leaked, Pony Express died out well before the internet as the necessary mode of communicating bad news. I expect at least a notification of the breach by now, they had an entire business day. Ultimately, that kind of information should have been divulged immediately.

      But hey, no biggie…we should just give Apple a pass, there is no such thing as privacy, whatever, right? You folks are bozos. I watched Apple nosedive to near self-destruction once while ass-kissing morons like you all cheered its greatness. It will surely happen again with brainless cheerleaders like your ilk rah-rahing this management crew. I’ll fill you in: there was a day when companies who proclaimed to be as good at coding as Apple took pride in designing/engineering systems that didn’t leak entrusted private information, Apple was even one of them. As long as the crowd let’s them make $150B and not do a better job, they won’t. So thanks for making Apple crappier than they should be; me, I have higher expectations.

      Like

  6. gkmac says:

    How did they get the Radar app? Despite what the article says you can’t really download it “from Apple website”. At least not at any known URL or without proper login.

    Sounds more like it was stolen/leaked from somewhere or by someone?

    I guess the article could mention that – as all developers know – the tool is not public, but hey that tones down the “major security hole” a little bit and thus pagehits…

    Like

    • Yeah… that seems like a huge, glaring issue with this “major security hole”. Only Apple employees have access to Radar and those people have always had access to all the developer info. I guess if you get your hands on Radar somehow, that could give you that info, but that’s not a public security hole. The number of people who would have access to Radar that aren’t Apple employees is slim to none.

      Like

      • Mike Beasley says:

        Radar was available publicly just by guessing a drop-dead easy URL. It has been pulled now, so I can tell you that it was bugreport.apple.com/downloads/radar.dmg.

        Literally any person at all could download this. You didn’t have to be an Apple employee to get it. You didn’t have to be an Apple employee to access the directory. You or I could have downloaded it and accessed this information just by guessing that URL (or having it shared by anyone in the past who discovered it).

        The developer who discovered this hole is not an Apple employee yet he had no trouble getting to this info. People have known about this app for a long time, but because it requires an employee login to actually access the bug manager, no one ever thought to try searching the directory without logging in. Well, until recently, that is.

        Like

      • Overlord says:

        “Only Apple employees have access to Radar and those people have always had access to all the developer info.”

        Stop with the bullsh*t, please.

        Like

  7. Heh. Some of these comments.
    Issues like this can happen. It’s just life. Well done Jesse et all for finding this flaw and 9to5Mac for doing the right thing and reporting it to Apple *BEFORE* posting about it, unlike most sites which would just go “OMG LOOK AT THIS ITS SO BAD EVERYONE GET IT NOW” and be surprised when they get shafted.

    A good honest days work done here I’d say! Yay for community!

    Like