Many companies likely affected by iOS developer forum compromise
iPhoneDevSDK administrators confirm that the site was compromised and hosted a zero-day exploit in January
IDG News Service - The administrators of a popular iOS developer Web forum called iPhoneDevSDK confirmed Wednesday that it had been compromised by hackers who used it to launch attacks against its users. Security experts believe the site served as a gateway for the recent attacks against Twitter, Facebook and Apple employees and that many other companies might be affected as well.
At the beginning of February, Twitter announced that it had been the target of an attack and that hackers might have accessed authentication data on 250,000 users.
"This attack was not the work of amateurs, and we do not believe it was an isolated incident," Twitter said at the time. "The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked."
Twitter did not reveal many details about the attack, but encouraged users to disable Java in their browsers, suggesting that the attack might have involved a Java vulnerability.
On Friday, Facebook revealed that its employees were also targeted in a sophisticated attack last month. "This attack occurred when a handful of employees visited a mobile developer website that was compromised," the company said in a blog post at the time. "The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops."
The company said that the exploit used a zero-day -- a previously unknown -- vulnerability in Java that was immediately reported to Oracle and patched in an emergency Java update on Feb. 1.
"Facebook was not alone in this attack," the company said at the time. "It is clear that others were attacked and infiltrated recently as well."
On Tuesday, Apple announced that a small number of the company's systems had been compromised and infected with malware. The attack involved an exploit for a vulnerability in the Java browser plug-in that was served from a website for software developers, the company said.
Later on Tuesday, citing an unnamed source close to Facebook's investigation into the attack, AllThingsD reported that the compromised website was likely iPhoneDevSDK.com, a community forum for iOS developers.
Ian Sefferman, one of the iPhoneDevSDK administrators confirmed Wednesday that the website had been compromised, but said that he learned about it from the press and not the affected companies.
"We were alerted through the press, via an AllThingsD article, which cited Facebook," he said in a message posted on the forum. "Prior to this article, we had no knowledge of this breach and hadn't been contacted by Facebook, any other company, or any law enforcement about the potential breach."
"Immediately, we were in contact with Facebook's security team, including Joe Sullivan, Facebook's Chief Security Officer, and his team, to learn what they knew," he said. "We also contacted Vanilla, our amazing forum hosts, to ensure the problem was not with their software."
Oracle Software Licensing: The Value of Resellers
NEW white paper explores real-world insights and:
* The Rise of Audits
* Compliance Spend
* SAM and Compliance
* Working Directly with a...
- ACM Leadership Guide Knowledge worker effectiveness has emerged as a top priority to both optimize the customer experience and help employees work more efficiently. See how...
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Expert Panel: Enterprise Mobility and Data Loss Prevention When it comes to enterprise mobility, it's not just about devices, it's about the way people work. Hear this expert panel discuss the... All Management White Papers | Webcasts