Update #2: The Apple Developer Center is back up after downtime.
Update: Downtime may be due to a recently discovered vulnerability. See after the jump for details.
Apple’s developer center has been unavailable over the past few hours without explanation. It’s not uncommon to see the site go down for a few hours near announcement events, but today’s reason might be more ominous. Multiple developers across Twitter are postulating that the downtime may be due to a hack.
3-Pack 10-Ft MFi-Certified Lightning - $16.99
A few developers have noticed that their developer profile addresses are now showing an address in Russia instead of their own. This has led some to speculate that maintenance in regards to a hack is behind the developer center’s downtime.
While developers may not need to access the site every moment of the day, it can cause development downtime. When compiling code using Apple’s development software Xcode, sometimes the application needs to phone home for code-signing requirements. This means that many devs can be left out in the cold while awaiting Apple’s maintenance.
Apple currently lists seven different types of maintenance on the developer System Status page.
Back in 2014, developer Jesse Järvi discovered that an exploit in Apple’s Developer Center allowed for personal contact information discovery. Järvi was able to pull personal information from various 9to5Mac employees and Apple executives. Apple quickly patched the problem once it was brought to their attention.
Update: A few years ago, Apple’s Developer Center suffered a four-day outage required by a complete overhaul of their internal systems. At that time, the outage was speculated to be caused by a vulnerability in Apache Struts 2.
A 9to5Mac reader pointed out that today’s downtime may be a result of yet another similar vulnerability, CVE-2017-9805. Discovered by researchers at lgtm.com, the vulnerability demonstrates that Apache Struts is vulnerable to remote code execution. According to lgtm.com, “This particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin”.
A patch for the vulnerability was released today, and Apple may be slowly working through getting it applied onto their servers. It may also be possible that the servers were exploited using this vulnerability and Apple is in the mitigation stages now.