Apple fixes hole that leaked employees’ and developers’ personal info

Apple quietly slipped its Developer Center offline on Sunday night for maintenance and, it turns out, to patch a serious security hole that let anybody access personal contact information for any registered Mac, iOS or Safari developer; every Apple Retail and corporate employee; and some key partners.

The news comes from 9to5Mac.

The Macintosh-focused news venue was surprised on Saturday when a tipster sent an email into its tips box that contained the personal contact information – including cell phone numbers – of several of the publication’s staffers, as well as a few high-ranking Apple executives.

Well, that’s a tad creepy, said 9to5Mac-er Mike Beasley:

When an email from a stranger containing your phone number arrives, that’s not a great feeling. You don’t want the world doing that, right?

— Mike Beasley (@MikeBeas) April 28, 2014

In a case study of responsible disclosure, the publication and the developer who discovered it, Jesse Järvi, kept mum about the hole until Apple fixed it.

Beasley wrote:

Due to the critical nature of the problem, we would never reveal this type of flaw to the public until it had been dealt with and we had contacted Apple.

Amen and kudos to that.

9to5Mac published a video of how Järvi exploited a hole in Apple’s Radar application – an internal program Apple employees use to manage bug reports submitted through its bug tracker.

Radar grants access to the full roster of registered Apple developers – even those in the free Safari developer program, Beasley writes.

It turns out that Radar was publicly available for download from Apple’s website.

As iMore reports, in fixing the hole, Apple also removed the application from its previous, unprotected location, which is now returning a 404 ‘page not found’ error.

After Järvi downloaded Radar, it prompted him for an Apple ID login.

That ID has to be on a list of employees with access to the Radar app.

Järvi entered an invalid login, after which Radar kicked him out. But it didn’t cut off his access to the application’s other tools, including a people lookup function.

Järvi found that by opening a directory search and plugging in any piece of info – including a name, phone number, or email address – the application presented a list of matches, all without requiring authentication.

Apple hadn’t yet released a public statement by the time this article posted, but 9to5Mac says that the company confirmed to Järvi that the issue has been resolved.

This fix comes fast on the heels of critical security fixes for OS X, iOS and Apple TV that Apple put out last week.

Naked Security’s been tugging on Apple’s sleeve, trying to get it to adopt some kind of frequent, regular update schedule, for quite some time.

Tuesdays are nice – everybody’s used to Patch Tuesday by now, after all!

And as Paul Ducklin notes, Apple’s sort of approaching some form of frequency.

You don’t know when exactly they’re coming, but at least the updates are coming more frequently, unlike the update for a critical bug in the sudo command that Apple ignored for at least six months.

This hole in Radar got fixed lightning-fast in comparison. Reported on a Saturday, fixed by Sunday night. Nice!

I bet there are plenty of Apple developers, employees and partners who are glad to know that the company can hop on at least some holes lickety-split!