A group that calls itself YGN Ethical Hacker Group has identified potential security holes in Apple's website for Mac and iOS developers. Those security holes could allow malicious hackers to use the Apple Developer Connection in phishing attacks to gain access to users' login and password information.
According to information supplied to Networkworld, the group identified three potential security issues on the site, including arbitrary URL redirects, cross-site scripting, and HTTP response splitting. In particular, the ability to arbitrarily redirect to other URLs could make phishing attacks against developers login credentials more likely to succeed.
"By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials," the group said. "Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance." In other words, even though the redirect will cause users to end up at a malicious site, the original link would appear to come from developer.apple.com.
Since developers use their Apple ID to access password-protected areas of Apple's developer website, such as forums, beta OS releases, and SDKs, a successful phishing attack could give hackers access to a user's iTunes Connect account, iTunes Store purchases, and more. If the e-mail address is valid, hackers could also try using password cracks to get into a user's e-mail as well.
YGN said that it alerted Apple to the problem in late April, and that the company quickly acknowledged getting the report. "We take the report of a potential security issue very seriously," Apple told YGN. However, it doesn't appear Apple has closed the security holes.
To encourage Apple to act, the group says that it will release its discoveries to the security mailing list Full Disclosure "in a few days."
reader comments
51