Many companies likely affected by iOS developer forum compromise
iPhoneDevSDK administrators confirm that the site was compromised and hosted a zero-day exploit in January
IDG News Service - The administrators of a popular iOS developer Web forum called iPhoneDevSDK confirmed Wednesday that it had been compromised by hackers who used it to launch attacks against its users. Security experts believe the site served as a gateway for the recent attacks against Twitter, Facebook and Apple employees and that many other companies might be affected as well.
At the beginning of February, Twitter announced that it had been the target of an attack and that hackers might have accessed authentication data on 250,000 users.
"This attack was not the work of amateurs, and we do not believe it was an isolated incident," Twitter said at the time. "The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked."
Twitter did not reveal many details about the attack, but encouraged users to disable Java in their browsers, suggesting that the attack might have involved a Java vulnerability.
On Friday, Facebook revealed that its employees were also targeted in a sophisticated attack last month. "This attack occurred when a handful of employees visited a mobile developer website that was compromised," the company said in a blog post at the time. "The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops."
The company said that the exploit used a zero-day -- a previously unknown -- vulnerability in Java that was immediately reported to Oracle and patched in an emergency Java update on Feb. 1.
"Facebook was not alone in this attack," the company said at the time. "It is clear that others were attacked and infiltrated recently as well."
On Tuesday, Apple announced that a small number of the company's systems had been compromised and infected with malware. The attack involved an exploit for a vulnerability in the Java browser plug-in that was served from a website for software developers, the company said.
Later on Tuesday, citing an unnamed source close to Facebook's investigation into the attack, AllThingsD reported that the compromised website was likely iPhoneDevSDK.com, a community forum for iOS developers.
Ian Sefferman, one of the iPhoneDevSDK administrators confirmed Wednesday that the website had been compromised, but said that he learned about it from the press and not the affected companies.
"We were alerted through the press, via an AllThingsD article, which cited Facebook," he said in a message posted on the forum. "Prior to this article, we had no knowledge of this breach and hadn't been contacted by Facebook, any other company, or any law enforcement about the potential breach."
"Immediately, we were in contact with Facebook's security team, including Joe Sullivan, Facebook's Chief Security Officer, and his team, to learn what they knew," he said. "We also contacted Vanilla, our amazing forum hosts, to ensure the problem was not with their software."
- Study: Total Economic Impact of Google Apps Employees can work faster and IT spending can decrease when companies switch to Google Apps, says a commissioned study by Forrester Consulting. Going...
- Best Practices in BYOD - Addressing BYOD Challenges in the Enterprise Take control of the iOS, Android™ and BlackBerry® devices in your organization, from one powerful, unified console.
- Built for Business: 10 Reasons BlackBerry Smartphones Are Still the Best Way to Do Business The BlackBerry® 10 mobile computing platform removes many of the barriers that slow down other devices. Here are just a few of the...
- Choosing an MDM Platform: Where to Start the Conversation If you're in the early stages of choosing an MDM solution, or you're considering switching vendors, here are seven critical questions to ask...
- Increasing the Value of Your Reports and Dashboards Learn how incorporating other analytical capabilities such as predictive modeling and visualization can increase the value of your reports and dashboards by providing...
- Video surveillance for IT: maximum image quality, minimum bandwidth Join us on Thursday, May 8th at 1 p.m. EST when Willem Ryan, Senior Product Marketing Manager at Avigilon, will discuss how IT... All Management White Papers | Webcasts