With all the news about Anonymous, LulzSec, Anti-Sec, and so on, you’d almost forget there are more ethical hacking groups out there as well. One such group, YGN Ethical Hacker Group, informed Apple of several weaknesses in its developers website on April 25. Apple acknowledged the flaws, but so far, hasn’t done anything about them. YGN Ethical Hacker Group has now stated they will fully disclose the vulnerabilities if Apple doesn’t fix them in the coming few days.
The hacker group claims to have found three separate security flaws in Apple’s developer website – arbitrary URL redirects, cross-site scripting, and HTTP response splitting. Especially the arbritry URL redirects are problematic, since it would make it quite easy to lead a phishing attack to obtain login credentials from Apple’s third party developers. Developers use Apple IDs to login, so this would give malicious folk access to developers’ iTunes accounts.
YGN Ethical Hacker Group isn’t a new group – they’ve already identified similar security issues at other websites. Java.com, for instance, suffered from similar URL redirect issues, but Oracle fixed it within a week, and thanked the hacker group. They also found issues with McAfee‘s website, but McAfee refused to fix anything until the hacker group went for full disclosure.
Apple has been given the same two months to fix their issues, but Apple has so far refused to do so. The issues were reported to Cupertino April 25, and Apple confirmed they had received the information two days later. We’re two months down the line now, and nothing has been fixed, according to the hacker group. As such, they will now take the same steps they took with McAfee: full disclosure.
I find this a very responsible way of dealing with hacking. I would say two months is more than enough time to fix these issues (or at least enough time to detail ongoing work to the hackers to gain an extension if the work proves to be more extensive) – at some point, the hackers must fully disclose this information to inform the public about the dangers of using, in this case, Apple’s developers website.
It will be interesting to see how Apple is going to respond to this.