A group of hackers have discovered a vulnerability with Apple’s Dev Center which leaves the site open to phishing scams. Unless Apple fixes it soon, users could find themselves unknowingly redirected to malicious websites that attempt to steal their credentials.
Apple’s Dev Center is the website registered developers use to get their hands on the latest iOS betas and pre-release Mac OS X software, in addition to a wealth of information used for development purposes. It could, however, be dangerous to its visitors.
The YGN Ethical Hacker Group has discovered a vulnerability with the site that could potentially allow an attacker to “redirect” Dev Center visitors to a malicious website, which will attempt to steal their personal details. The group informed Apple about the vulnerability on April 25, and on April 27 Apple acknowledged receipt of the information, writing, “We take the report of a potential security issue very seriously.”
As of yet, however, it is believed Apple is yet to fix the main security hole discovered by the group.
Macworld explains how the vulnerability is dangerous to developers accessing Apple’s Dev Center:
The specific hole related to the “vulnerable code portion in developer.apple.com,”according to the group, is called “URL Redirection to Untrusted Site (‘Open Redirect’).” This is described in Mitre’s data definitions of “Common Weakness Enumeration” as follows: “By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.”
The Mitre definition of the URL Redirect says it can allow an attack because “the user may then unwittingly enter credentials into the attacker’s web page” which would compromise the user’s sensitive information.
The group that discovered the flaw operate from the country of Myanmar and claim they don’t want the discoveries they make about vulnerabilities to be used for illegal hacking purposes. Instead, they want websites to take note of their findings and improve their security to fix issues like the ones with Apple’s Dev Center.
If this vulnerability isn’t resolved over the next few days, the group will publicly release information regarding three specific issues with Apple’s Dev Center via the “Full Disclosure security mailing list,” which they hope will persuade Apple to get to work quickly on a fix.
These “issues” involve arbitrary URL redirect; cross-site scripting; and HTTP response splitting, with the “root cause” being the Arbitrary URL Redirect.
The YGN discovered a vulnerability with security firm McAfee’s website back in March, but wasn’t satisfied with the response they received from the company. After making the information public, however, McAfee acknowledged and resolved the problems. Let’s hope Apple does the same.