Apple Criticized For Taking 3 Days To Disclose Developer Site Hack

Developers and security experts criticized Apple on Monday after the company waited three days before disclosing that its developer website had been hacked.

On Thursday, Apple took down its developer site, which is used by programmers who write apps for iPhones and iPads, for what it described as "maintenance." On Sunday, the company revealed that "an intruder" had attempted to steal data from the website.

Some wondered why Apple took so long to disclose the breach.

Dustin Curtis, the creator of the blogging platform Svbtle, tweeted: "Q: What's the best thing to do after a huge security breach? A: Probably not this: tell no one for 3 days, then send poorly-worded email."

Steve Streza, an independent developer, also appeared to criticize the timeline of Apple's disclosure. "Thursday, we took down the site," he tweeted. "Sunday, we got around to telling you all about it."

Graham Cluley, a security expert, called the three-day delay "disappointing."

"If developers had known sooner that their email address and other details could have been exposed, they could have been on the lookout for phishing emails or other attempts to exploit the information," he said in an email to HuffPost.

Another expert, however, characterized the turnaround as "fast" and said Apple should be commended.

"In security, everybody will be breached eventually, but how fast you respond is what matters," said Marcus J. Carey, a security researcher at Threat Agent, a security firm. "Some companies take weeks or months to act on something like this. I give them credit for acting fast."

In response to the incident, Apple said in a posted statement on the site on Sunday that it was overhauling its systems and databases. The company said no customer information was affected and developers' sensitive data had not been accessed.

"However, we have not been able to rule out the possibility that some developers' names, mailing addresses and email addresses may have been stolen," Apple said, adding that it was disclosing the breach "in the spirit of transparency."

A Turkish security researcher, Ibrahim Balic, claimed that he was responsible for the breach in a comment on TechCrunch on Monday.

Balic wrote that he found a bug that revealed developers' information when using the site, and reported it to the company. As an example, he sent along user details for 73 Apple employees he was able to see -- though the flaw allowed him to obtain information on more than 10,000 people, he wrote.

An Apple representative did not respond to a request for comment, and it is unclear if Balic is indeed the source of the hack.

Apple has a complicated relationship with security researchers. In some cases, the company has punished them for the methods they use in order to expose security weaknesses. Balic said he was concerned that Apple might "blacklist" him because of the way he reported the flaws.

In 2011, well-known security researcher Charlie Miller developed an application that he believed could download malware onto iPhones and iPads. To prove this, he disguised his app as a stock ticker program and got it approved for distribution in Apple's App Store.

But instead of thanking Miller for his work, Apple revoked his app developer license, saying it violated the developer agreement that forbids developers to "hide, misrepresent or obscure" an app. He was also suspended for one year from Apple's developer program.

Apple's once sterling reputation for security has taken some hits over the past year, following several reports of malware infecting its products and services. In March, The Verge reported on a security flaw that allowed hackers to reset Apple customers' passwords -- knowing only their email address and date of birth.

Last year, security researchers found a piece of malware called Flashback that infected more than 500,000 Mac users and netted cyber criminals more than $10,000 a day through a security flaw in Java software.



7 Biggest Steve Jobs Flops