According to YGN Ethical Hacker Group, a Myanmar-based white hat group, Apple’s developer site contains a vulnerability that could open the door for phishing attacks, allowing personal information to be stolen.
Apple’s developer site is used to distribute pre-release software and developer-related documentation to its subscribers, for a yearly $99 fee. This vulnerability, known as an "Open Redirect", allows hackers to redirect unsuspecting users to malicious sites by slightly modifying the URL, and that way obtain personal information:
By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.
The group didn’t reveal specific details on the vulnerability and has instead contacted Apple, hoping that the company will fix it. In a statement, the company stressed that security is one of its utmost priorities:
We take the report of a potential security issue very seriously.
As of yet, however, the company hasn’t yet fixed the vulnerability. The group has threatened to released detailed information to the public on the 3 holes that haven’t yet been fixed, unless the company fixes them quickly. That would be dangerous, since other hackers could easily exploit the disclosed vulnerabilities for their own benefit and put users at risks. Despite that, the hard truth is many companies are only swift at applying fixes when vulnerabilities are "in the wild".
The same happened this past March, when a vulnerability was found on the McAfee website, maker of security software (ironically). Over one month after the company was notified, the vulnerability wasn’t yet fixed, causing the group to release the full details online. Shortly after, the vulnerability was finally fixed.
According to US law, the practice of detecting vulnerabilities on third-party infrastructure is considered illegal, since it’s the result of an attempt to break into websites. While that might be the case, YGN Ethical Hacker Group believes very strongly that security breaches must be detected and reported before they’re used for evil.
Until Apple fixes this hole, be sure not to click on any link to Apple’s developer site from an email, unless you’re familiar with its source. In doubt, always head over to apple.com/developer.