Over the weekend, while many of us were enjoying the outdoors, Apple engineers were fixing a critical security flaw on its website. The issue allowed anyone to access the personal contact information for just about everyone associated with Apple, including developers, according to 9to5Mac.
The security flaw was first discovered by developer Jesse Järvi using Apple’s Radar application, an internal program used by Apple employees to manage bug reports submitted through its bug tracker. Thanks to the exploit, Järvi was able to access contact information for every registered iOS, Mac, or Safari developer, and every Apple Retail and corporate employee.
Data for some key Apple partners was also accessible.
According to 9to5Mac:
The first step in exploiting this hole was downloading the Radar application from Apple’s website. The program requires an Apple ID login to function, and that ID must be on a list of employees with access to the Radar app. Entering an invalid login causes the program to kick you out, but doesn’t cut off access to other tools contained within the software—including the people lookup function.
Opening a directory search and plugging in any piece of info, such as a name, phone number, or email address, and the application will promptly bring up a list of matches—no authentication required.
Last summer, an intruder breach closed Apple’s developer site for eight days. The problem this time around was corrected much more quickly and didn’t require a site shutdown. By Sunday night, Apple had patched the security hole.
Here’s a look at how the exploit was discovered:
Apple is expected to release a statement on this issue very soon. When they do, we’ll update this post.