
Apple Confirms That Its Dev Center Has Been Breached By Hackers - tomashertus
http://techcrunch.com/2013/07/21/apple-confirms-that-the-dev-center-has-potentially-been-breached-by-hackers/
======
est
I am very surprised the root cause of the incident wasn't mentioned by any
other HNers

This is a serious exploit on Apache Struts 2, a popular Java Web framework
known as SSH (Spring, Struts, Hibernate). If you visit many websites, and see
URLs ending with .action , it's probably written in Struts 2

S2-016 / CVE-2013-2251, effecting Struts 2.3.15 or lower

[http://struts.apache.org/release/2.3.x/docs/s2-016.html](http://struts.apache.org/release/2.3.x/docs/s2-016.html)

The exploit was deadly easy to weaponize as the Apache folks blatantly
published PoC on their own bulletin

Example of server side arbitary Java code (OGNL expressions) execution

[http://wp3.sina.cn/woriginal/761d2801jw1e6pqfs8hrbj20c70gomy...](http://wp3.sina.cn/woriginal/761d2801jw1e6pqfs8hrbj20c70gomyw.jpg)

Apple.com hacking was published on a popular Chinese security bulletin website

[http://www.wooyun.org/bugs/wooyun-2013-023444](http://www.wooyun.org/bugs/wooyun-2013-023444)

The issue was submitted to APPL on 2013-05-10 but ignored, and went public on
2013-06-24.

A Chinese blog on history and technical details of the exploit:

[http://www.inbreak.net/archives/507](http://www.inbreak.net/archives/507)

As a side note, rumor is that about 60% of Chinese goverment, e-commerce,
banking, gaming websites was hacked using this S2-016 exploit, database was
dumped, and exchanged in underground market. Also past records shows that the
Apache Struts team is incompetent at security:

[http://taosay.net/?p=611](http://taosay.net/?p=611) (Warning: rant in Chinese
text)

~~~
ams6110
So Struts 2.3.15.1 which has the fix for this was released 16 July 2013. In
fairness, it may be that Apple, being as big a target as they are, had little
time to react before they were penetrated. But this really goes to show that
when you are informed of a "highly critical" remote code execution
vulnerability in one of your public-facing applications, you need to drop what
you are doing, take the service offline _immediately_ and start the process of
upgrading/patching. You may literally have only minutes.

~~~
codyb
This reminds me of the post I saw on here, can't remember exactly what it was
called, but the guy talked about putting servers up with a honey pot and at
this point within hours they're getting scanned and probed.

He said it used to take days or weeks for that to happen. Now it's hours.

------
rdl
Not giving any notification for several days was pretty bogus. Probably not
actionable under CA law, though.

The sad thing is I know several competent people who work at Apple on
security, although I think they do OS security not online-services. Apple has
proven over and over again that they're utter crap at online services. They're
going to be totally pwned at Blackhat w.r.t. iCloud in a week, too. I don't
understand why they can't just drop $500mm to $2b on buying one or more
competent saas/ops companies to get some real expertise in house, rather than
relying on 15 years of accumulated contractor/vendor built crapware.

~~~
coldtea
> _Apple has proven over and over again that they 're utter crap at online
> services._

Yes. They only have the most successful online app and music store service on
the planet.

And one of the biggest backup online service (iCloud) too.

Oh, and the most popular online computer shop.

Utter crap indeed.

> _I don 't understand why they can't just drop $500mm to $2b on buying one or
> more competent saas/ops companies to get some real expertise in house,
> rather than relying on 15 years of accumulated contractor/vendor built
> crapware._

For one, you have no idea what saas/ops people they have in-house. Second, you
have no idea how their systems are setup.

Second, you have this baseless idea that throwing money at an engineering
problem solves it (yeat, it worked great for Brooks, Mitch Kapor, and tons of
other multi-hundrend million failed projects out there).

Third, who told you it's "15 years of accumulated contractor/vendor built
crapware"? From the little we know, their current foundation is a cloud on top
of Azure. Which is anything but "accumulated".

~~~
rdl
WebObjects. Essentially a legacy from NeXT, almost 20 years old, and even
Apple abandoned it for everyone except internal use. Finding competent people
for that is...nontrivial.

They also use a lot of Sun/Oracle in general (especially in the early 2000s).
Look how well that worked out for eBay.

Given the runaway success of the iPhone for hardware reasons (and I guess iOS,
and third party developers), you can't really claim the success of the App
Store is due to the quality of the App Store. The iPhone was successful first,
then demand for apps, then Apple built the App Store once regular people were
jailbreaking their devices and doing their own development.

I'll concede iTunes was successful for music on its own, but that's more for
licensing reasons than anything else; I find what.cd a vastly superior
experience as a user, even independent of money, and Gazelle/BT are open
source. Both are better than what the RIAA came up with for sure. Arguably
Spotify, Rdio, Pandora, etc. are better.

Netflix has done a way better job on video than Apple, too.

~~~
dubcanada
Did you just compare a BitTorrent tracker to iTunes?

Anyways ignoring that, the "App Store" was built alongside iPhone and released
at the same time. So I'm not sure where you're getting yo facts from.

But Netflix has done a much better job on video. And I agree that iTunes is a
little weak.

~~~
rdl
Third party apps on the iPhone were originally supposed to just be web apps
run in Safari. iTunes was just for the loading of music (and I think video?)
and basic activation and such. The iPhone was announced in January 2007, and
released in June 2007. The SDK was announced in October 2007, released in
early 2008. You had to wait until users upgraded to iOS 2.0 (released summer
2008) to actually run those apps.

~~~
dubcanada
No you're right... Still, I find it hard to believe that they built the entire
iPhone SDK and App Store in less then a year. I'm going to guess it was part
of the original idea, just delayed for some reasons.

~~~
chc
Of course they didn't build the SDK in less than a year. It's a pared-down
version of what they use to create their own apps.

------
mirkules
A "security researcher" posted a video with compromised accounts claiming to
have deleted all the data after reporting the bugs to Apple:
[http://www.youtube.com/watch?v=q000_EOWy80](http://www.youtube.com/watch?v=q000_EOWy80)

It is really unfortunate and irresponsible that data in the video is not
obscured.

~~~
zapu
Wow. I'm speechless. This guy is really stupid or doesn't care. He can (or
rather "will") get into serious legal troubles.

~~~
chiph
Agreed. What he did might have worked in 2004. But these days he's just going
to end up in serious legal hot water.

------
general_failure
Techcrunch comment -
[http://m.youtube.com/watch?feature=youtu.be&v=q000_EOWy80&de...](http://m.youtube.com/watch?feature=youtu.be&v=q000_EOWy80&desktop_uri=%2Fwatch%3Fv%3Dq000_EOWy80%26feature%3Dyoutu.be)

~~~
abalone
Actual comment is here: [http://fyre.it/tjlVmC.4](http://fyre.it/tjlVmC.4)

Says alternately that he's taken 100,000+ user records, or just 73 Apple
worker records, or no user details at all. And that he's keeping all the
"evidences".

~~~
sillysaurus
Interesting. Anyone want to weigh in on the ethicality of this? (Either side.)

Downloading 100k userdata records seems quite extreme, but is it unethical for
a security researcher to do so?

~~~
daeken
It is absolutely, unquestionably unethical to do that. There's a huge, huge
difference between proving a concept and stealing user data -- no matter what
your end goal is. What possible positive outcome could he be looking for in
taking this data?

~~~
sillysaurus
Anyone know if this was illegal, then? Or will his status as a security
researcher (albeit one with poor judgement) protect him?

~~~
jrockway
There is no such thing as "status as a security researcher". If you want to
research security, I suggest you do it in your lab or with consenting adults.

~~~
Cthulhu_
The only legal security researcher is the one hired by a company to identify
issues during a security audit.

~~~
rdl
It's a whole lot safer doing attacks on a _device_ you own (or downloaded
software you run on your own infrastructure) -- live pentests on someone
else's network infrastructure and hosted applications is pretty similar to a
"real" attack.

------
ancarda
>In order to prevent a security threat like this from happening again, we're
completely overhauling our developer systems.

I wonder how out of date it was?

>updating our server software

Why now? This should be done as soon as new releases are available. There's
even packages like unattended-upgrades that do it for you.

~~~
nknighthb
> _There 's even packages like unattended-upgrades that do it for you._

Anyone deliberately installing such a package on a production server is
dangerous. Their profound lack of judgement disqualifies them from any form of
access to servers I control. Updates break things. They get approved by a
knowledgable human familiar with the system and installed with suitable
engineers standing by, or they don't get installed.

~~~
duey
Having out of date packages on production servers is also dangerous. It really
depends what you consider your biggest risk to be: downtime vs getting hacked
due to an out-of-date packages? I personally would take downtime, but every
place is different.

~~~
nknighthb
A check for necessary updates should simply be part of someone's regular,
preferably daily, routine. It's a basic cost of doing business.

The manpower necessary is not enormous. Any particular security update has a
relatively small chance of requiring prompt installation on a particular
production service. On the unusual day you're struck by lightning, you pull
out the relevant emergency plan and begin executing it.

~~~
jiggy2011
Remember that a lot of small to medium sized websites are maintained by part
time freelancers and don't have anything resembling an ops team, there's
nobody being paid to do the day to day running of the servers.

In such a situation it's probably safer to at least have automatic scheduled
patching against deadly vulnerabilities and accept that occasionally that
might break something.

Of course that wouldn't apply in apple's case.

~~~
nknighthb
You're positing a scenario that shouldn't occur in the first place. Such a
website should be on a shared or managed hosting service, or alternatively,
there are companies that will, for a reasonable monthly fee, perform basic
routine maintenance such as this on your servers.

If you want to completely mismanage a server you depend on for your
livelihood, I can't stop you. All I can say is you're doing it wrong.

~~~
jiggy2011
Running on shared hosting doesn't solve this and introduces a bunch of other
issues, you still have to worry about wordpress installs or whatever.

There are a lot of poorly managed VPS out there, these would be better served
applying security fixes automatically.

------
k-mcgrady
His credibility as a 'security research' is seriously damaged in my opinion
for two reasons:

1\. He unnecessarily downloaded so many records

2\. He made a YouTube video to brag, showing off names and emails in the
process.

~~~
duiker101
I don't think it was for bragging but more trying to cover his ass. But I
might even be wrong.

~~~
k-mcgrady
True with his final statement in the video that's what it sounds like he was
trying to do. But if he just found the flaw, reported to Apple and did nothing
remotely nefarious he shouldn't have felt the need to do the video. It seems
to me he knows he shouldn't have downloaded so many records and it trying to
backtrack to cover himself.

------
martin_
A security researcher has claimed responsibility in a comment[1] on the
article citing his intentions were not malicious and he reported 13 bugs to
Apple prior to the dev center being taken down

[1] [http://techcrunch.com/2013/07/21/apple-confirms-that-the-
dev...](http://techcrunch.com/2013/07/21/apple-confirms-that-the-dev-center-
has-potentially-been-breached-by-
hackers/?hubRefSrc=permalink#lf_comment=87472293)

------
untog
It would be nice if they could knock out some easy wins early. I was trying to
set up a new machine on Friday- I wanted to install Homebrew, but it required
XCode command line tools. Which are on Apple's dev portal. So I can't use
Homebrew (or build anything at all) on that machine.

These tools and other static downloads (SDKs etc.) are clearly not affected by
this breach - can't they rehost them somewhere in the short term?

~~~
axxl
If you download Xcode via the Mac App Store, I believe you can still install
the command line tools from the downloads pane in the Xcode preferences. I
updated mine yesterday from there no problem. Hope it works for you!

------
ChuckMcM
Bummer, and they have earnings to announce on Tuesday.

~~~
ams6110
The general public won't care so much about the dev center. If iTunes, App
Store, or Apple Store had been hacked that would be much more serious from a
PR standpoint.

~~~
ChuckMcM
My thought was not that the general public would care, rather it was that
institutions own AAPL stock do care, and if they think that this event will
affect Apple's ability to deliver product or recruit developers they may
decide shift their portfolio's holdings to a different tech company with more
upside.

------
Tichy
Great, and I can't figure out how to change my apple password because it asks
me some "security questions" before allowing me to change the pwd (such as
"what was your favorite band in high school).

------
dave1010uk
3 days seems like a long time to alert people. Releasing the news early would
be the right thing to do but keeping it secret until you know the extent of
the breach was probably better for their brand.

------
Zikes
Sounds like Weev is about to get some company.

------
ogwyther
"They waited three days to alert developers because they were trying to figure
out exactly what data was exposed"

Why couldn't they notify people about the hack, then alert them to it's
specifics in due course? Piss poor excuse IMO.

~~~
trosenbaum
My guess is that from a PR perspective they might have worried that releasing
the information without a definitive scope of impact would have led to days of
wild panicked speculation in the media outlets, and userbase.

While there was still wild speculation, security was only one of many possible
scenarios being discussed, and it was mostly treated like a regular outage.

I'm not saying this delay in disclosure was "right" (what if it had ended up
worse in scope?), but I agree with sibling post (dave1010uk) that it seems to
have worked out better for their brand.

------
xixixao
Just got a bogus "reset apple id password" email.

> If you weren't trying to reset your password, don't worry – your account is
> still secure and no one has been given access to it.

Ironic.

~~~
momerath
Yeah, I've gotten two today. Can anyone speak to the aim of these?

------
spaux
Word is, apns is still up, only the dev center has been effected.

------
ars
> Credit card data was not compromised

So? Who cares about credit card data - it so easy to just send a list of
compromised numbers to the banks and get new numbers. I've been sent new cards
at least twice without being told why they are changing the number, except for
some nebulous "security measure", so they clearly do do this.

Of all things to worry about credit card numbers hardly rank.

I don't know how it works - but can the breach allow attackers to upload
modified apps in the name of the developer?

~~~
T-Winsnes
I would care. If I know that it hasn't been compromised I don't have to get a
new number and go around to all the services I'm registered with to update my
credit card details. Saves me a lot of hassle.

~~~
ars
They are supposed to update those automatically.

~~~
T-Winsnes
Who are? I use my credit card at multiple services. Is the bank going to call
around to services that I have paid for previously and tell them my new credit
card details? I hope not

~~~
mpeg
When you get a new credit card, only the last 4 numbers will change, and your
bank might charge the new credit card for payments that were supposed to be
going to the old card if they are deemed low risk (if it's something you used
to pay for before)

Of course, YMMV, this is just what my bank does.

~~~
300bps
Not even close. I work at a large bank and often 12 or more numbers change.
Beyond that it is irrelevant how many numbers change. Beyond that only
approved but unsettled transactions will go through under the old number. You
can't continue to use the old number for new transactions.

~~~
ars
> Is the bank going to call around to services that I have paid for previously
> and tell them my new credit card details? I hope not

Yes. Anyplace that bills you regularly on the old number will automatically
get the new number.

> You can't continue to use the old number for new transactions.

It depends on how you define new. A new biller, then correct. But if it's a
biller that you have an existing relationship with, i.e. they bill you every
month, then they do send them the new numbers (and/or allow them to use the
old number).

I can't say if this is a global policy of all issuers, but I can say that I've
experienced it. I've also seen it in the fine print when I signed up for
repeated billing.

~~~
agosnell
It's usually called something like "automatic account updater" by the credit
card issuer. I think it's pretty common for merchant banks and merchant
service providers to offer it these days. (We use it where I work.)

Here's an older Braintree blog post about it:
[https://www.braintreepayments.com/blog/automatic-update-
of-c...](https://www.braintreepayments.com/blog/automatic-update-of-credit-
card-information-for-recurring-billing-merchants)

