How’s this for a strange course of events: Apple’s Developer Portal goes down
on Thursday. They announce that they’ve been hacked and non-financial
developer information is leaked. Security researcher, Ibrahim Balic, posts a
YouTube video demonstrating the exploit with a python script and defending
his actions by showing a past bug report to Apple describing the problem. Oh,
and this happened. *sigh*
While I’m glad that Apple shared these details, they said they will keep the
portal down while they are “completely overhauling our developer systems”.
There’s nothing that brings out the most reasonable and security conscious
software developer than an insane deadline imposed by external circumstances,
right? They have their hands full and they have to rush. This is not a good
What do we, the peons, do in the wake? Walk, don’t run, to the nearest Mac or
iOS device linked to your app store account and buy 1Password or the
equivalent1. Go to appleid.apple.com and change your password (I
changed my email address, too2). Triple check the URL of any site claiming
to need your Apple ID password—better yet, use 1Password’s autofill feature
to notice URL discrepancies for you. And remember that anything you put online
is fair game.
Update August 21st: Now we finally know that the downtime wasn’t the result of Ibrahim Balic but a separate remote code execution vulnerability.