Monday July 22, 2013

Apple Developer Portal, and The Perils of The Modern Age

How’s this for a strange course of events: Apple’s Developer Portal goes down on Thursday. They announce that they’ve been hacked and non-financial developer information is leaked. Security researcher, Ibrahim Balic, posts a YouTube video demonstrating the exploit with a python script and defending his actions by showing a past bug report to Apple describing the problem. Oh, and this happened. *sigh*

While I’m glad that Apple shared these details, they said they will keep the portal down while they are “completely overhauling our developer systems”. There’s nothing that brings out the most reasonable and security conscious software developer than an insane deadline imposed by external circumstances, right? They have their hands full and they have to rush. This is not a good combination.

What do we, the peons, do in the wake? Walk, don’t run, to the nearest Mac or iOS device linked to your app store account and buy 1Password or the equivalent1. Go to appleid.apple.com and change your password (I changed my email address, too2). Triple check the URL of any site claiming to need your Apple ID password—better yet, use 1Password’s autofill feature to notice URL discrepancies for you. And remember that anything you put online is fair game.

Update August 21st: Now we finally know that the downtime wasn’t the result of Ibrahim Balic but a separate remote code execution vulnerability.

  1. I use 1Password because it is awesome. No kickbacks were involved in the mention of this software.

  2. If you change your email address then you’ll need to delete the iCloud accounts from any of your iOS devices and re-add it with the new email address.