Apple's developer website for Mac OS X, iPhone, and iPad is ripe for hacking, according to YGN Ethical Hacking Group. YGN, allegedly based out of Myanmar, claims that a malicious hacker could exploit potential security holes in this website to launch phishing attacks. If successful, such attacks cause users to unknowingly enter credentials into a fake web page.
YGN identified URL redirects, cross-site scripting, and HTTP response splitting as three issues that can be easily exploited on Apple's developer site. Specifically, they claim the URL redirect is the biggest liability.
"By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials," YGN said. The redirect would appear to come from developer.apple.com but would cause users to end up at a malicious site, giving the phishing attempt "a more trustworthy appearance".
YGN claims to have notified Apple of the issues on April 25, and received a response from Apple on April 27 stating, "We take the report of a potential security issue very seriously." However, YGN believes Apple has not yet fixed the issue. According to Ars Technica, YGN is threatening to release the details of these issues "in a few days" to the security mailing list Full Disclosure.
Earlier this year YGN uncovered a similar URL redirect issue on Oracle's Java.com website, and Oracle corrected it quickly and thanked the group for their help. YGN also found security issues on McAfee's website, but frustrated by what they perceived to be a slow response, issued and then followed through with a similar threat of releasing the details to the public. Only after the public release of the vulnerabilities, according to YGN, did McAfee acknowledge the issues.
YGN states it does not want the security issues it uncovers to be used by malicious hackers, and is only trying to encourage better security across the web. The practice of unsolicited vulnerability scans and website assessments, however, remains extremely controversial.
Via Network World
