Apple patches hole in developer center that exposed user information
Last night Apple took their developer center down to patch a hole that allowed someone with access to the internal Radar app to get the professional contact information for anyone registered with the iOS, Mac, or Safari developer programs. Mike Beasely, reporting for 9to5Mac:
The first step in exploiting this hole was downloading the Radar application from Apple's website. The program requires an Apple ID login to function, and that ID must be on a list of employees with access to the Radar app. Entering an invalid login causes the program to kick you out, but doesn't cut off access to other tools contained within the software—including the people lookup function.
The issue was spotted by developer Jesse Järvi. iMore has been able to independently verify the fix.
While the Radar app is an internal tool intended for use by Apple employees and contractors, the video above shows it accessible by someone who figures out its path. Also, while the contact information stored in the developer portal is typically of a business rather than personal nature, none of that information is supposed to be accessible to anyone without the proper permissions.
As we've seen repeatedly, from goto fail to Heartbleed, there's no such thing as perfect code. Exploits and openings can and will happen. What matters is how quickly and how well they're dealt with when they're discovered. Kudos to Järvi and 9to5Mac for getting this incident's information to Apple, and to Apple for patching it quickly.
Update: Apple has removed the Radar app DMG file form its previous, unprotected location. (Now returns a 404 error.) Kudos again.
Nick Arnott contributed to this article