Apple patched a potentially serious hole in its Developer Center earlier this week that could have given anyone unfettered access to the personal contact information of company developers, retail employees and even executives.
Ironically enough, the bug existed in Apple’s internal bug reporting and tracking system Radar. The app is only available for use by Apple employees and contractors, but until this week anyone who figured out where it was hosted could download and use it freely. Radar was previously available at an easily guessable URL just off of Apple’s main bug reporting site but that URL, http://bugreport[.]apple[.]com/downloads/radar.dmg, has since changed.
Finnish software and security tester Jesse Järvi dug up the bug and emailed the folks at Apple news site 9to5Mac.com about it last week but it wasn’t reported until Monday, after Apple had been given enough time to have it fixed.
Once installed, Radar requires an Apple ID to completely sign into the bug reporting section of the app. If a wrong password is entered, an error message pops up and the user is again instructed to log in to fully connect to the application’s server. Järvi discovered however that while the app denied the user entry, it didn’t kick them out of the app completely.
Some functions, such as the people-lookup function, were still accessible without authentication. By simply scrolling to the top navigational bar in the app and going to Find > Person, Järvi – who posted a video of his exploit that can be seen below – was able to look up the personal details of anyone at the company.
Those details included the information of those registered with the iOS, Mac, or Safari developer programs, along with retail and corporate employees, executives and some key partners.
For what it’s worth, there appear to be multiple Tim Cooks at Apple, most of them developers but Järvi was also able to look up information about himself along with SVP of Worldwide Marketing Phil Schiller and former iOS SVP, Scott Forstall. Other employee information was searchable by phone number, email address, department, etc.
Järvi emailed Apple’s security team about the issue but claims he just got “arrogant canned responses” in response. When informed on Saturday, 9to5Mac.com forwarded the bug along to someone at Apple, who ran it “up the ladder.” The company had the vulnerability fixed Sunday night when it took its Developer Center offline for maintenance.
While the issue was clearly an oversight by Apple, because it failed to properly authenticate those who used the app and hide the URL that Radar where could be downloaded. It’s too soon to say whether employees or developers should be worried their personal data was compromised. Apple did not immediately respond to a request for comment on Thursday. The company fixed the vulnerability in about a day and it was made public only after it had been patched.