
Apple Developer Website Update - danielsiders
Email from Apple<p>Apple Developer Website Update<p>Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and&#x2F;or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.<p>In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.
======
Lightbody
Here's my semi-educated guess for how the attack started: from casual
observation (view source, URLs ending with .action, etc) a good chunk of the
ADC is written in Java and uses WebWork/Struts2, a framework I helped create
years ago.

Late last week a security advisory came out that allows for executing
malicious code[1]. Atlassian, which uses similar technology, also issued
announcements around the same time[2]. My wild speculation is this was the
attack vector.

Sadly, I feel some responsibility for this pretty major security hole. There
have been a few like this and they are all rooted in the fact that almost 9
years ago I made the (bad) decision to use OGNL as WebWork's expression
language. I did so because it was "powerful" but it opened up all sorts of
extra binding trickery I never intended. I haven't been contributing to the
project in 5+ years, but this is a good reminder how technology choices tend
to stick around a lot longer than you ever imagine :)

[1]
[http://struts.apache.org/release/2.3.x/docs/s2-016.html](http://struts.apache.org/release/2.3.x/docs/s2-016.html)
[2]
[https://confluence.atlassian.com/display/BAMBOO/Bamboo+Secur...](https://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2013-07-16)

~~~
colanderman
_technology choices tend to stick around a lot longer than you ever imagine
:)_

It amazes me how true this is. I've learned that assertions such as "this is a
mockup and should be replaced ASAP for reasons X Y Z" tend to get ignored by
inheritors of proofs-of-concepts for as long as (or longer than) possible. My
coworkers wonder why now I fight tooth-and-nail to (from their perspective)
over-engineer things from the start; I know that short-sighted decisions will
never be revisited until it's too late.

~~~
karlkatzke
This is the biggest reason that I hate all of the "go fast and break things"
culture around here. There has to be a balance, but big names and investors
don't seem to be encouraging them.

------
jpdoctor
> _Sensitive personal information was encrypted and cannot be accessed,
> however, we have not been able to rule out the possibility that some
> developers’ names, mailing addresses, and /or email addresses may have been
> accessed._

So they can't rule out the possibility that sensitive personal information,
which cannot be accessed, has been accessed. Got it.

Apparently our intelligence, which cannot be insulted, has been insulted.

~~~
kristofferR
By "sensitive personal information" they probably just mean passwords and
credit card information, not names, email addresses and mailing addresses.

~~~
_delirium
Passwords could be hashed, but credit-cards are the big one you have to keep
in plaintext. If you want to bill the card without asking for the number to be
reentered, there's no way to avoid storing the number and expiration date. PCI
does mandate that you keep less than necessary to initiate a new charge,
though: you are not allowed to store the 3-digit verification code from the
back of the card. Future charges from the same vendor can go through based on
the stored information (without re-sending the verification code), but charges
from a new vendor would need the code, so this is intended to make it harder
for someone who stole the saved information to initiate a new charge. A
loophole is that _in-person_ charges do not use the verification code, so
someone could use the saved information to fabricate physical cards, and try
to use them at stores (the U.S. doesn't typically use either chipped or PIN-
protected credit cards, so cloning a card from the number is relatively easy,
prevented more or less only by the heuristic fraud-detection algorithms).

~~~
kybernetyk
Purchases of developer memberships are handled through Apple's online store.
And that is still up.

~~~
weaksauce
There also is the bank account information for apple created payments to the
developers... that could be part of the compromised items.

~~~
conradev
That is in iTunes Connect, completely separate from the developer portal.

------
tcas
I downloaded the CRL for developer certificates [1] and quickly looked at it
using grep:

    
    
      grep -E "Revocation Date: Jul 17 .{8} 2013" wwdrccrl.txt | wc -l
          3065
      grep -E "Revocation Date: Jul 18 .{8} 2013" wwdrccrl.txt | wc -l
          2289
      grep -E "Revocation Date: Jul 19 .{8} 2013" wwdrccrl.txt | wc -l
             2
      grep -E "Revocation Date: Jul 20 .{8} 2013" wwdrccrl.txt | wc -l
             0
      grep -E "Revocation Date: Jul 21 .{8} 2013" wwdrccrl.txt | wc -l
             0
    

These are the two certificates that were revoked on the 19th

    
    
      grep -A 3 -B 1 -E "Revocation Date: Jul 19 .{8} 2013" wwdrccrl.txt
          Serial Number: 2628C7F90970D227
              Revocation Date: Jul 19 03:14:04 2013 GMT
              CRL entry extensions:
                  X509v3 CRL Reason Code: 
                      Key Compromise
      --
          Serial Number: 1A51ABFA4844BD45
              Revocation Date: Jul 19 03:24:03 2013 GMT
              CRL entry extensions:
                  X509v3 CRL Reason Code: 
                      Key Compromise
    

To generate the wwdrccrl.txt file I used:

    
    
      openssl crl -inform DER -text -noout -in wwdrca.crl > wwdrccrl.txt
    

Just to be clear -- every entry there I see lists the reason as Key
Compromise, just interesting that they usually seem to revoke at least 2000
certificates a day but suddenly stopped on the 19th with just revoking 2.

[1][http://www.apple.com/certificateauthority/](http://www.apple.com/certificateauthority/)

~~~
cmelbye
That's because the portal is down and people can no longer log in to revoke
their developer certificates.

~~~
tcas
That's what I thought -- but it was also down the 19th yet 2 were revoked.

Probably means nothing however. I doubt that anybody with the ability to get
into the system would want to get only developer certificates.

------
dakrisht
"Completely overhauling our developer systems, updating our server software,
and rebuilding our _entire_ database."

That does not sound like an intruder "attempt" by any means.

They got hacked, and they got hacked bad if they're rebuilding databases and
overhauling entire enterprise-class systems over there.

Transparent my ass. They're deep in the gutter, 3-days and counting no fix,
engineers are probably working 24 hours a day and the entire site is still
down. This isn't a small time breach folks. They had to go public considering
it will probably be down for a few more days...

------
sarreph
A little more info from TC: [http://techcrunch.com/2013/07/21/apple-confirms-
that-the-dev...](http://techcrunch.com/2013/07/21/apple-confirms-that-the-dev-
center-has-potentially-been-breached-by-hackers/)

Update — Just got off the phone with an Apple rep, who confirmed a bit more:

\- The hack only affected developer accounts; standard iTunes accounts were
not compromised

\- Credit card data was not compromised

\- They waited three days to alert developers because they were trying to
figure out exactly what data was exposed

\- There is no time table yet for when the Dev Center will return

------
johansch
There is an interesting comment at techcrunch:

[http://fyre.it/tjlVmC.4](http://fyre.it/tjlVmC.4)

"[...] One of those bugs have provided me access to users details etc. I
immediately reported this to Apple. I have taken 73 users details (all apple
inc workers only) and prove them as an example.

4 hours later from my final report Apple developer portal gas closed down and
you know it still is. I have emailed and asked if I am putting them in any
difficulty so that I can give a break to my research. I have not gotten any
respond to this.. [...] "

~~~
cromwellian
Looks like Apple is using Google Web Toolkit, those are GWT RPC responses. He
probably found an CSRF attack.

------
jchimney
I read the comments dismissing apples handling of this. What would you have
expected them to do? There is a LOT of forensics going on probably even now
trying to get a handle on this. A massive corp isn't going to make an
announcement until they have some idea what they're talking about. In my books
4 days is a very quick first announcement from a company of this size.

------
tsm
These details are befuddling. "Personal information was encrypted and cannot
be accessed". It can't be accessed because it's somehow stored elsewhere, or
it can't be accessed _because_ of the encryption? That is, does the intruder
currently own my encrypted data?

I'm also disappointed that it took them 72 hours to tell us _anything,_ and
that the update doesn't even have a timeline for when the site may be back.
"Soon" is meaningless.

~~~
Watabou
Yeah I'm confused why companies tells us DAYS after something serious happened
as opposed to right away. I can understand waiting a day but 3 whole days?! I
just don't understand the delay.

It's our data, we should have the right to know what happened to it.

~~~
larrys
"why companies tells us DAYS after something serious happened"

Companies are people. And all the relevant parties involved in handling this
may not be accessible to make a decision as quickly as needs to be done. Or at
least quickly enough to satisfy all people.

Do you feel you suffered any harm in particular by the delay of three days?

~~~
Watabou
I'm mainly complaining about the delay in telling us anything.

What I would love is an update whenever they suspect an intruder has accessed
sensitive information. Many websites like Dropbox and last.fm do have a server
status where they tell us if they have any planned maintenance or just general
status of the server. Why can't Apple and the rest of the big companies do
that?

Also, Apple first said it was just regular maintenance. I'm just confused as
to why they said that instead of telling us the truth.

~~~
justinsteele
Likely because if you say "we are investigating a possible data leak" and then
end with "we discovered it was an undocumented maintenance event by someone on
the engineering staff, we have added more detailed logging as well as a better
maintenance process so we can be clear about this in the future", many people
will think the worst. It's unfortunate.

------
yapcguy
> "In the spirit of transparency, we want to inform you of the issue."

Ha, what a joke, I can't help laughing at that.

With so many third-party Apple developers drinking the kool-aid, and dreaming
of becoming rich, I'm not surprised Apple treat them like fools.

Just yesterday on Twitter, some developers were speculating that the site was
taken down to be updated with new SDKs for exciting new features and product
lines.

~~~
georgemcbay
I'm pretty sure in a fully honest world that would read "In the spirit of not
risking running afoul of the security breach statutes in various states we do
business in, we want to inform you of the issue".

Apple is great a lot of things but I don't think even their most ardent fans
would argue that transparency is one of them.

------
pdknsk
Hmm so it only takes a few days to "completely overhaul" their developer
systems? Not sure I believe this is what they're actually doing. And why
haven't they updated their server software before? I know mistakes can never
be completely avoided, but this seems slightly amateurish for a company with
so much cash.

~~~
objclxt
> _this seems slightly amateurish for a company with so much cash_

I know there are people here who probably have been in the start-up space for
all of their working life, but _never_ underestimate how piss poor
architecture can be at big companies.

I would place a large amount of money that every single person here who has
done a stint at a large corporation has a horror story about terrible, awful
architecture, outdated practices, and shoddy insecure software. And yes, that
includes companies like Facebook, Google, etc.

~~~
peterkelly
Case in point: [http://bugreporter.apple.com](http://bugreporter.apple.com)
still reflects the UI style of OS X 10.0

------
peterkelly
I understand everyone's frustrations with this, and the fact that Apple
haven't been immediately clear on exactly what happened. As a developer, I too
am alarmed by what has happened.

But these things are complex, and it takes time (i.e. a few days) to fully and
properly evaluate what has happened and what information leaks/security
breaches have occurred.

Let's give this a reasonable amount of time, and only then pass judgement on
their handling of the case.

I don't want to appear like an Apple apologist - and maybe it is a serious
fault on their side. But in fairness I do think it's reasonable we give them
time to evaluate & respond appropriately.

------
kyro
No reason to be up in arms, folks. They've got the marketing team working on
this too.

~~~
aaronbrethorst
The marketing team runs the portal.

[https://twitter.com/chockenberry/status/358310019537715200](https://twitter.com/chockenberry/status/358310019537715200)

~~~
threeseed
Marketing has financial responsibility but engineers still develop and
maintain it. And there is lots of cross collaboration with iTunes Store and
Apple Online Store teams.

WWDR is all about evangelising the platform to a technical audience. Of course
it belongs in marketing and not engineering i.e. it involves road shows,
presentations, reach out activities etc. Not everyone that is technical are
developers remember.

------
nwh
Uh, how does this "encryption" work?

For the website to show these details (and it does, in part, use these details
in the interface) it must be able to decrypt these on the web applications
side. Ergo the keys for decryption must also be on the server or derived from
the users passwords, both of which make the use of encryption a fairly
worthless venture.

ED: As another commenter mentioned in an earlier thread, lots of other AppleID
facing applications are gone as well (
[https://ecommerce.apple.com/](https://ecommerce.apple.com/) ), so it would be
interesting to find out how far this all goes. The websites don't seem that
far disconnected from the information in iCloud.

~~~
fleitz
Maybe they phoned for a ransom after breaking in?

Your post is pure speculation and depends heavily on what Apple means by
'sensitive'. I'm guessing that Apple means your CC numbers, certs, shared
keys, etc.

Possibly also your support tickets, your bank numbers, etc.

As for how encryption works, I'd suggest Applied Cryptography by Scheiner. I
think there's a problem in that book about Bob keeping speculative posts to
Alice secret from Eve. After reading that book, I'd suggest applying for a job
at Apple to give you first hand knowledge of what they're actually doing and
then you could make an informed judgement about what may or may not have been
exposed.

~~~
nwh
I am aware how crypto works. I was commenting on there being no source for a
key in this situation, rendering it a fairly useless venture.

~~~
stan_rogers
In a case like this, there would (normally) only be one secret to find. (IVs,
or at least the information IVs are derived from, and so forth would be stored
with the data.) That doesn't necessarily make it _easy_ to break if the key
was securely handled, but it does make it _catastrophic_ if the key is
determined.

Apple's email essentially says, "we don't think they have the key, but..." And
a complete investigation, along with changes to the system and an opportunity
for users to change data as soon as possible under the new system, is the
right way to go about it.

------
ChuckMcM
I got this email about an hour ago. I feel sorry for the folks who are
"updating our server software, and rebuilding our entire database". Songs will
be sung in the opsen bars about about this battle.

From the sound of the email it suggests they have records of some data
(perhaps not sensitive data :-) being compromised but no root cause on how it
was compromised, so they are re-building systems from the ground up
validating, configuring, and then moving to the next step.There are times
where this is faster than spending time trying to root cause the exploit.

That said, this is where privacy and security collide. Since logs going back
months of what everyone has done on every system really helps reconstruct
things, but of course if you have those logs it means that someone else can
abuse them.

------
peterkelly
Good to see some transparency on Apple's part here.

I understand this must be a very challenging situation for them to deal with,
and I appreciate the notification. As I'm sure many developers feel, I'd like
to know more details, but I'm sure these will come in due course.

~~~
markdown
It's a strange world we live in when every time we're told by a big corp that
our personal info was compromised, we're grateful for being told.

This is the worlds most cashed-up corporation. They could buy entire
countries, yet they made a conscious choice not to update their server
software or hire more competent sys-admins.

There shouldn't be a way for them to gain marketing wins out of this. There
should be a law _requiring_ notification when personal information is
compromised.

~~~
peterkelly
This isn't about marketing. It's about a security breach. And security
breaches take time (> 2 days) to properly investigate and report.

It's entirely possible that this is a massive oversight by Apple and they've
been extremely negligent in their security policies.

It's equally possible that there's some bug (that either you or I could easily
have made the mistake of introducing) that's resulted in this being possible.

Let's calm things down, give it a few days, and then evaluate. Nobody can make
an immediate judgement about the exact causes of problems like this. If you're
making judgements at this point, you really have no idea whether you're being
accurate or not.

And yes, if it turns out to be negligence on Apple's part, I'll be very angry.
But let's wait and see.

~~~
markdown
My argument was that you were impressed by the press-release. Your opinion of
Apple was improved such that you made a post in public expressing your
admiration of them for telling you that they'd lost some data that you'd
entrusted to them.

This shouldn't happen.

When my 4yr old tells me he did something "wrong" without any prompting (eg.
"Dad, I broke your phone"), I'm impressed because he didn't have to out
himself, but did so because it was the right thing to do.

Large corporations rarely think in terms of right and wrong... they have a
duty to their shareholders, and nobody else. As far as their shareholders are
concerned, they shouldn't release damaging information unless not doing so
could potentially negatively impact profits down the line. So when Apple tells
you they messed up, they're only doing so because they're worried you might
find out some other way, which would be worse for them. They aren't doing it
out of the kindness of their hearts.

Now if there were a law requiring the disclosure of incidents such as this
when personal information is compromised, then Apple wouldn't have a choice in
the matter, and they wouldn't be able to fool people like you into thinking
they're awesome when they just lost your data through negligence.

> It's entirely possible that this is a massive oversight by Apple and they've
> been extremely negligent in their security policies.

They just said they'll be updating their software. Why would they do that if
they didn't think that that would make the data safer. It's pretty much an
admission that they chose not to update the software earlier ie. someone made
a decision to use outdated software.

~~~
ptwiggens
Your post basically amounts to a conspiracy theory.

"It took them 3 days to tell us something happened. Obviously this means they
would have kept it secret if it were at all possible."

It takes time to figure out what happened in a breach. That doesn't mean that
Apple is some evil company trying to hide the fact that there was a breach.

~~~
markdown
No, I made no mention whatsoever about how long it took them to tell us. Did
you even read my comment?

> That doesn't mean that Apple is some evil company trying to hide the fact
> that there was a breach.

I never said that they were trying to hide anything. Again, did you even read
my comment?

> Obviously this means they would have kept it secret if it were at all
> possible.

Well yes, that is logical. A corporation would keep such a thing secret if
they had a guarantee that there was no other way people could find out. There
are good people working at Apple, but they are not Apple. A corporation
doesn't have morals. It will not damage itself and threaten profits just for
fuzzy feelings, any more than it will drop the price of the iPhone 6 to $20
because that would be a good thing for the poor.

~~~
jpttsn
> if they had a guarantee that there was no other way people could find out

Do you believe this is unique to corporations? Would "real people" always do
the right thing even if they had _a guarantee_ nobody would e able to tell?

~~~
markdown
Yes, many people would. I for one.

------
kalleboo
Any idea what "rebuilding our database" means? Reticulating the splines? I
hear those go out of alignment sometimes.

~~~
Sanddancer
There are lots of moving parts in a database, and lots of places one can hide
back doors for later access -- triggers, etc. If you're not sure how hard you
got owned, nuking, paving, and auditing is usually the best course of action.

------
tlongren
"In the spirit of transparency". Right, Apple.

~~~
jordanthoms
In the spirit of transparency, we're giving you vague warning that some
information might have been accessed _4 days ago_

~~~
logicallee
That's not a long time to receive a letter like this. That's as fast as Apple
instantly responds to anything, esp. considering the weekend.

And the site was down, so it was clear something was going on.

It is also extremely transparent in the sense that people were wondering this
exact thing even earlier today, and now received a response detailing that
this is an extremely severe breach, as opposed to something else. What more do
you want on a Sunday?

~~~
jordanthoms
Well I'm giving them a hard time due to the massive schadenfreude, obviously.
Still, this is very vague about what the 'sensitive personal information' is
(passwords?), what was encrypted, what was hashed, was it using a proper
hashing scheme, etc.

And announcing it just because people have started to speculate is damage
control, not taking responsibility.

~~~
k-mcgrady
>> "And announcing it just because people have started to speculate is damage
control, not taking responsibility."

It's possible it took them a few days to figure out exactly what was taken and
waited until they had as much info as possible to make a statement. I doubt
Apple would be following blogs during a situation like this with someone
making the decision: "oh, people have started to speculate about what's
happening - I think we should make a statement."

------
tater
Theres a security researcher commenting on techcrunch claiming he's
responsible for the breach here
[http://fyre.it/tjlVmC.4](http://fyre.it/tjlVmC.4)

His proof uploaded to youtube:
[http://www.youtube.com/watch?v=q000_EOWy80](http://www.youtube.com/watch?v=q000_EOWy80)

~~~
kyrra
Taking 40k records is more than just penetration testing.

------
jhspaybar
For what it's worth, Wednesday morning at 4am I had an email account
associated with my developer account compromised(they both stupidly used the
same password). This account was used for almost nothing but accessing my
developer accounts at Apple. At the time, I thought my Apple accounts might be
in trouble and I immediately changed all my Apple related passwords as well as
regained control of my email account. I'm now wondering if the breach might
have gone the other direction...

~~~
jhspaybar
At the time I re-secured the two accounts, I also changed my apple developer
account to a new email with 2-factor auth. Apple is still sending these
announcements to the email I changed >72 hours ago.

------
blinkingled
> In order to prevent a security threat like this from happening again, we’re
> completely overhauling our developer systems, updating our server software,
> and rebuilding our entire database.

I am wondering what was the thought process behind this gem. I think this
looks like a knee jerk reaction and it's particularly lacking polish coming
from Apple. I mean clearly Apple knows that "overhauling" systems and updating
software is no guarantee for future security. It's not a one time fix - it's
an ongoing process. And rebuilding entire database - that's just crazy talk!
This is especially inexcusable because the target of this update are
developers!

Security is hard - you've got legacy crap, 3rd party/unsupported code, you've
got open source code and then you have your own code that has evolved to be a
Frankenstein. I don't have a problem with Apple getting it wrong once - but
the statement does nothing to make developers confident that Apple will
finally get web services right.

------
thepumpkin1979
`rebuilding our entire database`. So the database was... destroyed...?

~~~
tater
I'd let them slide on that if they had the brass to announce it was running on
CoreData.

------
sampk
> _intruder attempted to secure personal information_

haha "secure". Am so using that word next time my site gets hacked.

~~~
rimantas
get a dictionary.

------
djvu9
Could it be related to CVE-2013-2251 which was released on 07/20? The URL
developer.apple.com/devcenter/ios/index.action seems struts alike..

------
coldcode
Jeez people, a company identifies a hack attempt, stops it, and makes sure it
never happens again. How often do you hear that one? Most companies don't even
tell you anything happened and if they are forced to, they don't even admit
anything bad happened (we only exposed 80,000,000 credit cards, no biggie).

If my employer suffered this I doubt they'd even tell the employees.

What do all of us do when we find a security issue?

~~~
coolnow
The thing that people are getting annoyed at is Apple are claiming this update
to be in the name of transparency, even though it's 3 days late and is worded
quite poorly.

>Most companies don't even tell you anything happened

Seeing as you're confident with the "most companies" part, name me 5 big tech
companies that suffered a data breach and didn't tell the public, or were
forced to.

There are laws you know, about informing people about (potential) security
breaches.

~~~
agent123
You can't have it both ways. They were transparent. Complaining that it was 3
days after the incident is irrelevant since we don't know how much
investigation was required for them to understand the problem.

~~~
coolnow
>You can't have it both ways.

Why not? See: Ubuntuforums

>we don't know how much investigation was required for them to understand the
problem.

I agree, but i find it hard to believe a company the size of Apple, with the
talented force that they have, couldn't have identified that they might've
been breached, within 3 days.

3 days.

------
michaelxia
Thanks Apple! This email was super helpful, now I know exactly whats going on.

~~~
__david__
I sense some sarcasm here, but I don't get it. Yesterday the site was just
down, now we officially know why and have some sense of a timeline. It seems
reasonable enough to me—what more do you want?

~~~
michaelxia
Then let me clarify...

1) The site was down since Thursday, not yesterday. 2) You can't "overhaul"
and expect to deploy "soon", so wtf are you doing apple? 3) "Soon" is not a
timeline, at least not in the real world. 4) What info got owned? What could
be effected?

------
dphase
This may explain some strange occurrences I had yesterday.

Starting at 7am, I received an Apple ID password reset request every 4 hours
and 19 minutes, ending last night at midnight.

This Apple ID is also the login for my personal developer account (several
years old). My developers IDs used for work never received a password reset
request.

~~~
ptwiggens
I highly doubt the hackers plan was to get email addresses and try to brute
force from there... just doesn't make sense.

If you search Google, people are all the time receiving password reset emails
going back years, even repeated ones.

Email addresses are in the clear all the time, and I've never heard of them
being considered sensitive before. You should assume everyone has your email
address.

------
GR8K
It's also posted here:
[http://devimages.apple.com/maintenance/](http://devimages.apple.com/maintenance/)

screenshot: [http://i.imgur.com/9BicjeE.jpg](http://i.imgur.com/9BicjeE.jpg)

------
0x0
I wonder if the hackers managed to get code signing keys out? Ultimate
jailbreak?

~~~
RKearney
I highly doubt Apple keeps their master keys anywhere near a public facing web
server.

~~~
0x0
The dev center seems to be able to autogenerate code signing certificates at
least. But maybe those can be revoked via online checks. I wouldn't mind
having a wildcard enterprise cert with a 20 year expiration =)

~~~
Turing_Machine
Access to an API to get certificates from a different server one at a time is
different thing from having the actual private signing key.

~~~
0x0
Certainly, but an unrestricted code signing certificate would be quite useful
too (until they are revoked)

~~~
Turing_Machine
Mmmm... maybe. Okay, let's say you can sign code as anyone, even Apple itself,
and create rogue apps.

Now, how do you use that information to compromise iOS devices? You probably
won't be able to get it in the App Store, and the iOS devices won't install
from anywhere else. You could make an Ad Hoc distribution package, but for
that you need to know the UDID of each device _and_ convince your victim to
download the rogue app from somewhere other than the App Store.

~~~
0x0
You can install .ipa files easily via http and mobilesafari, and enterprise
certs are valid for ALL UDIDs :)

So (again, assuming no revocation), you could set up a web based alternative
app store, or re-sign cracked apps/games, or just enjoy being able to run code
on your own devices (and distribute to others without going through the app
store) without maintaining the $99/year subscription, or you could start
linking/redirecting unsuspecting web browsing users to install malicious apps
(would only need 1 confirm click)

------
zztop
I can't feel too bad for Apple. They use WW/Struts but when was the last time
they contributed to the project? They never have. Open source volunteers do
their best but unless big corporations want to spend their own money, and do
their own security assessments, and contribute back anything they find, what
do you expect? It's great when you get things for free, but when you're
sitting on billions, send some back to the community you're using code from.

------
yulaow
Can it be related to the similar attack on the ubuntu forum? Maybe it was a
single group of hackers targeting the servers in which they know a lot of
developers have an account

------
plasma
Is the encryption not good enough (and I mean in general when sites get
bcrypt'd passwords stolen, etc) when owners are worried the encrypted data is
in the hands of intruders?

As a developer I'd still be concerned if I lost such data when encrypted - so
I understand - but what measures can be put in place so that as a
developer/site owner you're without uncertainty that the encrypted data will
never be encrypted by the attacker (eg, would take trillions of years).

------
general_failure
If anyone thinks this is the complete truth, well be prepared to be fooled
many times more. I mean the thing is down for 3 days now. This must be a huge
breach.

~~~
agent123
No. That tells us nothing about how big the breach is. Only how much effort it
is taking for them to be confident that they've properly patched it.

------
tater
I bet Forstall did it.

------
jamesjyu
Yep, I can confirm I just got this as well.

~~~
dfamorato
+1

~~~
thrush
Same. It'd be helpful if they'd have a permalink for the email, as I'd imagine
a lot of developers (including myself) have/will post to hacker news.

~~~
makomk
I figure that's probably why they don't have a link for the e-mail - they
don't want their developers posting it publicly.

------
0x0
Imagine what you could do here: \- break into facebook or twitter or any other
high profile dev account \- reissue new code signing keys \- crack the latest
public app and patch in a backdoor \- code sign with new keys and submit as an
app update

~~~
agent123
How? They took it offline.

~~~
0x0
Yes, when they discovered it. We don't know for how long they have actually
been compromised. Also, imagine if it happens again and is not discovered.

~~~
agent123
Seems like it's just your imagination:
[http://www.loopinsight.com/2013/07/21/apple-comments-on-
deve...](http://www.loopinsight.com/2013/07/21/apple-comments-on-developer-
site-hack/)

~~~
0x0
That's why I started the original post with "Imagine..." :)

(Plus, a single PR release about one incident doesn't exclude the possibility
of other (known or unknown) incidents taking place)

------
0x0
Well at least it was "only" the dev center, and not iCloud and iMessage!

~~~
Sucker
It's not uncommon for developers to use the same credentials for both their
developer account and their iTunes/iCloud account. I do.

~~~
objclxt
Apple use a centralised credential system. If I was to speculate I would
assume what's happened here is the metadata attached to the developer portal
(developer contact information, company info, etc) was compromised, not the
actual Apple ID. This would explain why Apple are saying no 'sensitive'
information (passwords?) was taken.

------
stephen_gareth
I'm more interested in the identity of the intruder for some reason. Who/what
are they? Presumably there are easier targets to steal credit card numbers
from, for example.

------
tszming
>> and rebuilding our entire database.

maybe someone dropped or polluted the database after hacking it, so they need
to rebuild the entire database from other sources?

------
GR8K
Manage your Apple ID/password/security questions here:
[https://appleid.apple.com](https://appleid.apple.com)

~~~
ptwiggens
What use would changing passwords be if passwords weren't stolen?

If you think having your email address out there means you are at higher risk
of being attacked, I've got news for you...

~~~
mcintyre1994
They said sensitive information is encrypted and can't be accessed, my
interpretation of that is that the plain text can't be accessed but attackers
may have the encrypted sensitive information (eg passwords). Depending on the
strength of their encryption though, and the key used etc etc.. it might be
perfectly accessible. In the absense of transparency on actual encryption
details, you're probably better off assuming the data is compromised than not.

~~~
ptwiggens
"Depending on the strength of their encryption though, and the key used"

I trust that Apple is competent when it comes to encryption at this point. I
agree that the statement was ambiguous as to whether the data was actually
taken.

~~~
mcintyre1994
Hopefully, but from the comments this an old, hacky system based on old
software with critical software vulnerabilities. I don't imagine their
encryption reflects that, but until it's clarified it's probably better to
assume it does.

------
foobarme
Apple jargon for "oh ____"

------
vmarsy
If the intruder is a patent troll-er, getting developers’ names and mailing
addresses can be pretty harmful.

~~~
ptwiggens
How exactly would that be harmful?

If a patent troller wants to find out who is behind an app, they would go
through the legal system and use a subpoena.

Literally no reason whatsoever for them to hack a website to get it.

------
jamin
Thanks Apple. Now what really happened?

------
diminoten
Is there any other source that this actually happened besides from a guy
posting some text on HN?

~~~
adnrw
Plenty of Apple and tech-related news sites have posted the email:

[http://9to5mac.com/2013/07/21/apple-explains-developer-
cente...](http://9to5mac.com/2013/07/21/apple-explains-developer-center-
outage-intruder-attempted-to-retrieve-users-info/)

[http://techcrunch.com/2013/07/21/apple-confirms-that-the-
dev...](http://techcrunch.com/2013/07/21/apple-confirms-that-the-dev-center-
has-potentially-been-breached-by-hackers/)

[http://allthingsd.com/20130721/apple-developer-center-was-
ha...](http://allthingsd.com/20130721/apple-developer-center-was-hacked-site-
remains-down-while-company-overhauls-security/)

------
soheil
wow if they're "overhauling" everything that means Apple knows that hackers
got some or all developers' info so it's not just that they can't "rule it
out" they just don't want to publicly announce it.

------
rimantas
I got a feeling that the most outraged never used Apple developer portal in
their life.

------
jlebrech
glad that i use a password manager and disable no-paste from firebug in order
to login.

------
noja
> Sensitive personal information was encrypted

 _sigh_ Tell us exactly what was and what wasn't encrypted.

------
rogerchucker
How is a developer's mailing address not a sensitive information for that
developer? How does a tech company get away making a blanket assumption like
that?

------
rogerchucker
Is there a database of intrusion attempts (and successful ones too) made at
tech companies?

------
smallsharptools
Until I see an email from Apple myself I will not see this info as credible.

~~~
kalleboo
I got the email then came straight to HN to check the discusson.

    
    
      Received: by 10.50.11.202 with SMTP id s10csp27972igb;
              Sun, 21 Jul 2013 16:01:44 -0700 (PDT)
      X-Received: by 10.68.172.34 with SMTP id az2mr27321730pbc.201.1374447703980;
              Sun, 21 Jul 2013 16:01:43 -0700 (PDT)
      Return-Path: <developer_bounces@insideapple.apple.com>
      Received: from msbadger0508.apple.com (msbadger0508.apple.com. [17.254.6.162])
              by mx.google.com with ESMTP id yo6si9958126pac.15.2013.07.21.16.01.43
              for <XXX>;
              Sun, 21 Jul 2013 16:01:43 -0700 (PDT)
      Received-SPF: pass (google.com: domain of developer_bounces@insideapple.apple.com designates 17.254.6.162 as permitted sender) client-ip=17.254.6.162;
      Authentication-Results: mx.google.com;
             spf=pass (google.com: domain of developer_bounces@insideapple.apple.com designates 17.254.6.162 as permitted sender) smtp.mail=developer_bounces@insideapple.apple.com;
             dkim=pass header.i=@insideapple.apple.com;
             dmarc=pass (p=REJECT dis=NONE) d=insideapple.apple.com

------
dano414
I got kicked out of an Apple store. I questioned a Managers managatorial
expertise. I took his angry picture at the door(Eric in Corte Madera). I am
tempted to post it on youtube, but feel punishment enough is working there? Oh
yea, the reason he was furious at me, is because I didn't like the way he was
treating my salesman. I've never understood people who let a title go to their
head? Off topic, just venting.

