Social Icons

Tuesday, April 29, 2014

Apple Patches A Security Hole That Exposed Personal Contact Information





Over
the weekend, while many of us were enjoying the outdoors, Apple
engineers were fixing a critical security flaw on its website. The issue
allowed anyone to access the personal contact information for just
about everyone associated with Apple, including developers, according to
9to5Mac.


The security flaw was first discovered by developer Jesse Järvi using Apple’s Radar application, an internal program used by Apple employees to manage bug reports submitted through its bug tracker. Thanks
to the exploit, Järvi was able to access contact information for every
registered iOS, Mac, or Safari developer, and every Apple Retail and
corporate employee.


Data for some key Apple partners was also accessible.


According to 9to5Mac:


The first step in exploiting this hole was downloading
the Radar application from Apple’s website. The program requires an
Apple ID login to function, and that ID must be on a list of employees
with access to the Radar app. Entering an invalid login causes the
program to kick you out, but doesn’t cut off access to other tools
contained within the software—including the people lookup function.

Opening a directory search and plugging in any piece of info, such as
a name, phone number, or email address, and the application will
promptly bring up a list of matches—no authentication required.
Last summer,
an intruder breach closed Apple’s developer site for eight days. The
problem this time around was corrected much more quickly and didn’t
require a site shutdown. By Sunday night, Apple had patched the security
hole.


Here’s a look at how the exploit was discovered:



Apple is expected to release a statement on this issue very soon. When they do, we’ll update this post.





No comments:

Post a Comment

 

Sample text

Sample Text

Sample Text