Group threatens to expose security flaw in Apple developer website

“Apple’s website for Mac OS X, iPhone and iPad developers has a vulnerability that could lead to phishing attacks, according to a hacker group,” Ellen Messmer reports for Network World.

“The Apple website vulnerability could allow an attacker to specify a link to another site through a ‘redirect,’ which could simplify phishing attacks, claims the YGN Ethical Hacker Group,” Messmer reports. “The outfit, dedicated to finding website security flaws, is said to operate from the country of Myanmar.”

Messmer reports, “Unless Apple fixes the alleged vulnerability, the group says it plans to release information publicly in the next few days via the Full Disclosure security mailing list… YGN Ethical Hacker Group says it doesn’t want the discoveries it makes about vulnerabilities to be used for illegal hacking purposes, but to spur better security in commercial websites. The group says it informed Apple on April 25 about the ‘issues’ it discovered at the developer site. The group says Apple on April 27 acknowledged the receipt of the information, saying, ‘We take the report of a potential security issue very seriously.’ But as of yet, YGN Ethical Hacker Group does not believe the main security hole it identified has been fixed.”

Read more in the full article here.

17 Comments

  1. Myanmar? The place that did not know how to reconstruct basic shelter (basic housing) for its people after the tsunami? The place where the “Garbage Warrior” had to go and show how to construct housing out of garbage? That Myanmar?

    These hackers should to put their minds to tasks more at hand than hacking I think.

    Oh, maybe Apple just looked at their so called security hole and assessed that it was nothing to worry about. Dunno for sure, but maybe.

    1. Paul, they don’t have to actually be based in Myanmar; however, given that it serves no purpose to advertise their actual location, I say Myanmar serves well.

    2. Neurones are not the sole property of the West….yes I know. Just saying that Myanmar does not strike me as a hotbed of technology. But it seems I might be wrong according to the reaction here.

  2. Exactly how does publishing a how-to-hack-Apple’s-developer-website document for all the world to see serve this group’s stated purpose of making the web more secure? What a joke!

    1. Well they have an obligation to two parties, first they are ‘ethical hackers’ or have stated this to be the case, so in that vein they are giving the vendor advance notice. That explains the delay in publishing the exploit.

      They also have an obligation to the security community to disclose the exploit at some point if they want to be taken seriously. No one is going to believe them if they never release the material. Disclosure is what makes them known and respected.

      I’d argue that if its as big of an exploit as they say, then every day apple ignores it just puts their customers at risk, and not because these guys are going to publish it, but because it may not be long before someone else discovers it who would rather just steal customer info until the well runs dry so to speak.

      Be glad these guys found it first. Seriously!

    2. It’s called “ethical blackmail.” Why else would someone spend hours upon hours scouring websites for potential security flaws, contacting the companies which own the sites, and threatening to release the vulnerability if it isn’t “fixed” within a few days?

      Payday!

      1. If they were out to make a ton of money on this you wouldn’t see them disclosing it on a security mailing list. The potential value of the exploit (if its what they claim) would be freakin’ huge on the black market.

        It takes drive and passion to find exploits. Most of these guys are not in it for the money, but simply because the challenge is there.

  3. I have a hard time understanding the ‘ethics’ of releasing an unfixed flaw to the public (i.e., the bad guys). After all, the root cause of the flaw may be buried so deep in the system that an easy and quick fix may be impossible.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.