Apple’s unique “chocolate teapot” security systems have become a laughing stock again.
Last week, Apple shut down its Mac, iPhone, and iPad developer website and carried out a huge unscheduled maintenance. Initially it did not say why but later admitted that its security geniuses had found an evil intruder who might have stolen everyone’s data.
Sensitive information was encrypted and was not accessed, but the company said “some developers’ names, mailing addresses, and/or email addresses may have been accessed”.
But it turned out that Apple’s evil intruder was Ibrahim Balic, a London-based penetration tester.
Companies regularly hire Balic to try to find vulnerabilities in their systems, and he recently decided to take a look at Apple’s sites. He found 13 bugs in total, all of which were reported using the online bug reporter, he said. He filed a bug report and the portal was taken down.
But Apple had done as it usually does with security concerns and had not bothered to reply to Balic. Instead Apple assumed it was under a massive attacked, battened down the hatches and prepared to repel borders.
According to TechCrunch, Balic created a YouTube video to show how he had accessed developer information, but took it down after realising that he hadn’t obscured the names and details of the individual developers.
One would think that Apple would be a little more sensitive to the security of its developers and thank those who find the faults.
Earlier this year, an iOS developer forum was compromised and infected employees at Twitter, Facebook, and others with malware. Attackers with stolen Apple developer accounts would be able to upload potentially malicious applications under the compromised developer’s name.
The downside of Apple’s “don’t talk to anyone” security policy is that it has taken down its developer portal as developers are preparing applications for iOS 7, slated for release later this year.