Apple patches another major security hole in its website that allowed access to all developer personal information

Screen Shot 2014-04-28 at 3.13.55 PM

Imagine our surprise when an email from a complete stranger showed up in our tips box containing the personal contact information—including cell phone numbers—of several 9to5Mac staffers, as well as a few high ranking Apple executives.

Last night Apple pulled the Developer Center offline for maintenance, but as is usually the case, no noticeable changes were visible when it came back up. As it turns out, the company was patching a very serious security breach that was discovered over the weekend, allowing anyone to access the personal contact information for every registered iOS, Mac, or Safari developer; every Apple Retail and corporate employee; and some key partners.

The issue was discovered by developer Jesse Järvi and brought to our attention on Saturday. A video of the exploit is below.  We ensured that the problem was reported to Apple and ran it up the ladder. Due to the critical nature of the problem, we would never reveal this type of flaw to the public until it had been dealt with and we had contacted Apple . As of last night, the hole has been patched. Keep reading for the full details of how the breach was executed and exactly what information was at risk.

Read more

Apple says Heartbleed security flaw did not affect its software or services

heartbleed

With an estimated half a million sites vulnerable to the “Heartbleed” vulnerability revealed earlier this week, which allows an attacker to access user details of websites previously believed to be secured by industry-standard SSL/TLS, your favorite social networks, stores, and other services around the web could potentially be handing out your password or other personal information to anyone who exploits the issue.

The bug exists in a library called OpenSSL, which is an open-source SSL implementation that many—but not all—web services use to secure sensitive traffic. If a website you use is affected by the bug, your personal data could be given to just about anyone. Unfortunately, changing your password on an unsecure site won’t even help unless the site’s owners have installed a fix (because the attackers can simply exploit the bug again to get your new password).

This serious issue affects a number of high-profile sites, but it seems your Apple ID is safe. Today, Apple gave the following statement to Re/code:

Read more

Report: EA Games server compromised, hackers stealing Apple ID, credit card & Origin account info

Update: EA said in a statement that it’s investigating the reports (via TheVerge):

“Privacy and security are of the utmost importance to us, and we are currently investigating this report… We’ve taken immediate steps to disable any attempts to misuse EA domains…”

According to a report from internet security and research company Netcraft, hackers have compromised an EA Games server and are currently using it to host a phishing site that steals Apple IDs and more from unsuspecting users. The company published its report today and says it contacted EA yesterday to report the discovery, but as of publishing the compromised server and the phishing site stealing Apple IDs were still online.

Netcraft claims the phishing site being hosted on EA’s servers not only asks for an Apple ID and password but also the user’s “full name, card number, expiration date, verification code, date of birth, phone number, mother’s maiden name, plus other details that would be useful to a fraudster.” Netcraft also reports that EA Games is being targeted in other phishing attacks that are attempting to steal user data from its Origin game distribution service: Read more

Apple’s two-step verification for Apple IDs arrives in Canada, France, Germany, Japan, Italy, & Spain

Apple-Two-Step-Verifiication

Back in May of last year, a long list of readers in countries around the world reported having access to Apple’s two-step verification security feature for their Apple ID. Shortly after the news broke, the feature disappeared in many countries signaling it had been launched prematurely. The only officially supported countries listed on Apple’s website included the “U.S., UK, Australia, Ireland, and New Zealand.” However, today the feature has appeared in several new countries including Canada, France, Germany, Japan, Italy, & Spain. Apple has also updated its support pages for two-step verification here and here to list the new countries. 

Read more