How sloppy security exposed Apple’s super-secret product plans

By

This login screen for a Quanta Computer database led to sensitive documents containing details on upcoming Apple products. Photo: Jim Merithew/Cult of Mac
This login screen for a Quanta Computer database led to sensitive documents containing details on upcoming Apple products. Photo: Jim Merithew/Cult of Mac

Incredibly sloppy security at one of Apple’s key suppliers exposed some of Cupertino’s most closely guarded secrets to anybody who could conduct a simple Google search.

For months, one of Quanta Computer‘s internal databases could be accessed using usernames and a default password published in a PowerPoint presentation easily found on the Web.

Quanta, based in Taiwan, is the world’s largest notebook manufacturer. In addition to Apple, Quanta assembles laptops and ultrabooks for dozens of companies, including Dell, Hewlett-Packard, Sharp and Sony. The company is also supposedly assembling the upcoming Apple Watch and the long-rumored iPad Pro, though no official announcements have been made.

The security lapse comes at a time of rapidly accelerating hacking incidents and cyberattacks, from credit card breaches and celebrity nude selfie leaks to the damaging theft of Sony’s most sensitive corporate data. The fact that the confidential plans of a company as secretive as Apple can be laid bare through a series of security missteps illustrates just how difficult it is to safeguard information in the digital era.

The path to Quanta’s database started last September when, on the eve of the big Apple Watch launch event, an anonymous Reddit user posted drawings and details of the super-secret device.

The images showed a chunky square housing in two different sizes. Up to this point, no definitive leaks had occurred, and the Apple community was skeptical. It didn’t look like an Apple device. But the leak turned out to be true, and predicted many details revealed by Apple the following day.

One of Quanta's internal databases can be accessed with details found via simple Google search. Screenshot: Cult of Mac
One of Quanta Computer’s internal databases, which holds detailed information about Apple’s product pipeline, could be accessed with some savvy Google searching. Screenshot: Cult of Mac

The information was gleaned from photographs of one of Quanta’s internal PowerPoint presentations. The document is not the only one floating around online, either: Several other confidential Quanta documents have been published online, and at least one gives details and login information for an internal Quanta database containing detailed schematics that appear to show other upcoming Apple products. The details can be found with a simple Google search.

A quick search for the phrase “Quanta confidential” and “.ppt” — the PowerPoint file extension — pulls up a presentation entitled “Quanta PDM system for Restricted Substances Investigation,” among several others Cult of Mac hasn’t yet dug through. The document is mirrored in several places, or was.

The document dates from January 15, 2013. It describes a Quanta database for managing the environmental aspects of products and components. The PowerPoint presentation appears to have been made to show Quanta’s customers how to log in and use the system.

Incredibly, it includes a link to the database and details of the usernames and default password for at least two customers, including Foxconn, Apple’s main manufacturing partner in China:

please input your account number default in username:Supplier Code+ three digital numbers
web page default password for ‘agile’ ,please change it after log in
Supplier Code+ three digital code
(for example) FOX111

A source, who Cult of Mac promised not to identify, demonstrated to us how anyone could log into the system using one of the usernames and the default password named in the document.

It appears that Quanta set up the same simple default password for all of its customers, and that some customers did not change the default after logging in for the first time.

Cult of Mac informed Apple and Quanta of the security problem. Apple declined to comment, and Quanta has not responded to our queries, but it appears Quanta has now disabled the accounts in the PowerPoint document and/or changed the default password.

Paul Ferguson, vice president of Threat Intelligence at IID, an internet security firm, said in general the use of the same default password is “a very stupid thing to do.”

“All organizations — large and small — should brush up on good security practices, and start using them actively,” he said.

Deals of the Day

  • gwhizkids

    I commend you for alerting Apple and not just publishing the product info. More sites should be like you!

    • OhStopItYou!

      LMAO – they didn’t publish the info because they didn’t want this to turn into what happened the last time the iPhone was leaked. Not only will the Cult of Mac not be given access to all kinds of Apple goodies, chances are they will get sued for it as well

  • Yo

    Ok is this just a joke ?
    If not, WHERE IS THE SPOILER ALLERT ???

  • @ohStopItYou! Getting sued is exactly right. Hacking into a confidential database is illegal. It might even be seen as industrial espionage. The reason we didn’t do any stories based on the information and alerted Apple is exactly that — we don’t want to be sued — or worse. Publishing stories based on information gleaned like this sometimes puts journalists in jail.

    For example, the News International phone-hacking scandal. Andy Coulson, the former editor of the NoW, is serving an 18 month jail sentence for unauthorized access to voicemails.

    • Darktanone

      Big ups! Doing the right or wise thing is always going down the right path. Additionally, you kept the information from getting into the hands of the competition. Imagine the big grin on BK’s face, over at Samsung, had the information been released! Much respect to you!

    • OhStopItYou!

      you could always get it “from an anonymous source” but you definitely did the right thing here (which most others would not do)

  • Jonathan

    It was that bad?! Geez! I can’t begin to imagine how much product there was in the pipeline. but Kuddos to you guys for doing the right thing.

  • Adrayven

    I commend you for not taking from the proverbial cookie jar.

    That said, for every honest man their makes several who are not. I have to wonder how many other “leaks” we’ve seen that are a result of this security lapse.

    • Curious

      Yup. That “MacBook stealth” leak is starting to look suspicious.

      • OhStopItYou!

        Am I the only one who thinks it looks a bit off in the design? (not the product but the rendered design itself)

  • Andrew Ryan Reynosa

    Maybe they just alerted them after finding out all the upcoming stuff so they know which rumors are true while competitors are in the dark.