Apple Internal Employee App Radar Exposed Personal Developer Info
9to5Mac has a detailed post describing in what appears to have been a major security loophole on Apple’s developer site on the weekend that exposed personal information, but has been closed.
The exploit was discovered by developer Jesse Jarvi; Apple later confirmed to the latter the bug was resolved. How did this work? It was through the internal bug reporter app Radar, which is used by employees.
Having an employee Apple ID with access to the Radar app gave full personal info from those in the Apple and Safari developer programs, including those of former executive Scott Forstall and Phil Schiller:
The first step in exploiting this hole was downloading the Radar application from Apple’s website. The program requires an Apple ID login to function, and that ID must be on a list of employees with access to the Radar app. Entering an invalid login causes the program to kick you out, but doesn’t cut off access to other tools contained within the software—including the people lookup function.
Opening a directory search and plugging in any piece of info, such as a name, phone number, or email address, and the application will promptly bring up a list of matches—no authentication required.
A video of the exploit can be seen below:
Glad this thing was patched. Apple is said to release a statement on this loophole soon. 9to5Mac says they sat on this story on the weekend to wait until it was patched before noting the details.