Imagine our surprise when an email from a complete stranger showed up in our tips box containing the personal contact information—including cell phone numbers—of several 9to5Mac staffers, as well as a few high ranking Apple executives.
Last night Apple pulled the Developer Center offline for maintenance, but as is usually the case, no noticeable changes were visible when it came back up. As it turns out, the company was patching a very serious security breach that was discovered over the weekend, allowing anyone to access the personal contact information for every registered iOS, Mac, or Safari developer; every Apple Retail and corporate employee; and some key partners.
The issue was discovered by developer Jesse Järvi and brought to our attention on Saturday. A video of the exploit is below. We ensured that the problem was reported to Apple and ran it up the ladder. Due to the critical nature of the problem, we would never reveal this type of flaw to the public until it had been dealt with and we had contacted Apple . As of last night, the hole has been patched. Keep reading for the full details of how the breach was executed and exactly what information was at risk.
Järvi has provided us with a full video walkthrough of how he exploited a hole in Apple’s Radar application, an internal program used by Apple employees to manage bug reports submitted through its bug tracker, to gain access to the full roster of registered Apple developers, even those in the free Safari developer program.
The first step in exploiting this hole was downloading the Radar application from Apple’s website. The program requires an Apple ID login to function, and that ID must be on a list of employees with access to the Radar app. Entering an invalid login causes the program to kick you out, but doesn’t cut off access to other tools contained within the software—including the people lookup function.
Opening a directory search and plugging in any piece of info, such as a name, phone number, or email address, and the application will promptly bring up a list of matches—no authentication required.
As we said earlier, this problem has now been patched by Apple. The company has not yet released a public statement on the bug, but did confirm to Järvi that it had been resolved. Apple is expected to issue a statement on the matter shortly and we’ll update when we get that.
Update: iMore notes that Apple has now removed the Radar app from the previous public download link.