Apple on Wednesday removed a number of online developer tools from circulation, saying the assets are down for maintenance, but some members are reporting troubling changes to account details that hint at a potential security breach.
While the main landing page for Apple's developer portal was accessible, a number of vital account services were not. A system status webpage notes maintenance was in progress for Account, Bug Reporter, Certificates, Identifiers & Profiles, Code-level Support, Program Enrollment and Renewals, Software Downloads and Xcode Automatic Configuration.
Details were scarce, but services affected by the downtime were offline from 11:30 a.m. to 2:35 p.m. Pacific.
On Twitter, developers reported strange account modifications that some interpreted as a potential hack. Specifically, physical address data listed on a number of individual accounts were updated to an address in Russia — "bul. Novatorov, Saint Petesburg [sic], Leningrad 198216."
Apple later sent out messages to developers explaining that a "bug" caused its developer website to temporarily display the incorrect account details.
"Due to a bug in our account management application, your address information was temporarily displayed incorrectly in your account details on the Apple Developer website," the note reads. "The same incorrect address was displayed to all affected developers. The underlying code-level bug was quickly resolved and your address information now shows correctly. There was no security breach and at no time were the Apple Developer website, applications, or services compromised; nor were any of your Apple Developer membership details accessed by, shared with, or displayed to anyone."
The unannounced maintenance comes at a critical time for Apple, which is widely expected to release next-generation operating systems at an event next week.
Apple's developer portal was the target of a hack in 2013. Much like today's downtime, Apple during the 2013 breach pulled the online resource without explanation, saying only that the website was undergoing maintenance. Developers were kept in the dark for two days before Apple revealed the intrusion.
At the time, Apple assured developers that sensitive information was encrypted, though the company was unable to determine whether developer names and addresses were leaked. A day later, a self-professed security researcher admitted to leveraging one of 13 undiscovered bugs on the developer website to glean user details, which were subsequently submitted to Apple.
Editor's note: This article has been updated to reflect information from Apple regarding the developer portal glitch, as well as the inclusion of the company's note to developers.
2 Comments
1) With iOS 11b10 came in I immediately started the 44MiB download and I accidentally tapped on the link that takes you to the developer page, which is when I first noticed that the developer page was down. While unlikely, I hope I didn't just install a Russian-built update masquerading as beta 10.
2) I'm neither happy with keeping users in the dark or with their low payout for critical bug discoveries. This may be a short-term cost center, but I think this leads to be much safer product that less costs down the road.
It’s back up now