Less than a week until TNW València 🇪🇸 Get a last-minute 30% discount on your ticket

This article was published on February 20, 2013

How an iOS developer site led to hacking of Apple and Facebook, without the owner’s knowledge

How an iOS developer site led to hacking of Apple and Facebook, without the owner’s knowledge
Matthew Panzarino
Story by

Matthew Panzarino

Matthew Panzarino was Managing Editor at TNW. He's no longer with the company, but you can follow him on Twitter. Matthew Panzarino was Managing Editor at TNW. He's no longer with the company, but you can follow him on Twitter.

Yesterday’s announcement that several computers inside Apple had been hacked made a lot of waves. This followed a breach announced earlier this month at Facebook and it had a common feature: an iOS developer forum called iPhone Dev SDK.

The site, owned by Ian Sefferman, was used to host malicious code that exploited a ‘zero-day’ (previously unknown) Java hole to inject malware onto computers. After the hacking incident, several reports pointed to the hackers’ goal being company secrets like upcoming products or perhaps even code used in apps that would allow them to inject their chosen malware into more devices.

The attacks appear, according to sources close to the investigation, to have originated in eastern Europe, rather than China, where attacks targeting media companies like The New York Times and the Wall Street Journal came from.

We reached out to Sefferman to find out how much, if anything, the site’s administration knew about the attack. What he shared in a blog post this morning is extremely interesting. First of all, no one at the site knew anything about it until the story broke in the press.

“We were alerted through the press, via an AllThingsD article, which cited Facebook,” says Sefferman. “Prior to this article, we had no knowledge of this breach and hadn’t been contacted by Facebook, any other company, or any law enforcement about the potential breach.”

It’s pretty crazy that no one involved in the hacking of Facebook, and likely Apple as they also cited an unnamed ‘developer site’ as the source of the malware injection, reached out to the site administrators to try to determine the source of the hack. Ironically, if a member of the press had been tracking this story, it’s likely that they (if they were conscientious) would have at least reached out to Sefferman for more information.

Sefferman acknowledges that, as a large, dedicated iOS developer forum, the site is targeted for attacks frequently. It switched over to Vanilla Forums last year for hosting and he says that the hack has absolutely nothing to do with Vanilla’s software. The site’s administrators were in immediate contact with Facebook Chief Security Officer Joe Sullivan and the security team to try to figure out what they knew.

“What we’ve learned is that it appears a single administrator account was compromised,” says Sefferman. “The hackers used this account to modify our theme and inject JavaScript into our site. That JavaScript appears to have used a sophisticated, previously unknown exploit to hack into certain user’s computers.”

That previously unknown exploit was a Java vulnerability that was patched yesterday on Mac computers by Apple. Sefferman says that the timeline for the exploit is still under investigation, but it looks as if it was ended voluntarily by the hacker on January 30th.

Sefferman says that there is currently no reason to believe  that there was any user data compromised.

This incident represents a different sort of attack than we typically hear about. Instead of targeting an individual,  this targeted a pool of users that crosses company boundaries (in this case, iOS developers). This type of attack, called a ‘watering hole’, has the potential to entrap a wide range of people in tech-savvy companies. Though we only know about the Apple and Facebook hacks (and have suspicions that the recent Twitter hack was related), it seems incredibly likely that this hack also affected other companies.

And this hack, because it used a potent zero-day vulnerability, was able to be delivered silently, without any knowledge on the part of either the site delivering it or the companies being hacked. This kind of attack isn’t going away, it’s only going to get more prevalent.

Sefferman’s blog post is here, note that though it has discovered the hack, we’re still urging cautioning before visiting the site for the time being.

Image Credit: Justin Sullivan/Getty Images

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with

Back to top