Many companies likely affected by compromise of popular iOS developer forum

iPhoneDevSDK administrators confirm that the site was compromised and hosted a zero-day exploit in January

The administrators of a popular iOS developer Web forum called iPhoneDevSDK confirmed Wednesday that it had been compromised by hackers who used it to launch attacks against its users. Security experts believe the site served as a gateway for the recent attacks against Twitter, Facebook and Apple employees and that many other companies might be affected as well.

At the beginning of February, Twitter announced that it had been the target of an attack and that hackers might have accessed authentication data on 250,000 users.

"This attack was not the work of amateurs, and we do not believe it was an isolated incident," Twitter said at the time. "The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked."

Twitter did not reveal many details about the attack, but encouraged users to disable Java in their browsers, suggesting that the attack might have involved a Java vulnerability.

On Friday, Facebook revealed that its employees were also targeted in a sophisticated attack last month. "This attack occurred when a handful of employees visited a mobile developer website that was compromised," the company said in a blog post at the time. "The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops."

The company said that the exploit used a zero-day -- a previously unknown -- vulnerability in Java that was immediately reported to Oracle and patched in an emergency Java update on Feb. 1.

"Facebook was not alone in this attack," the company said at the time. "It is clear that others were attacked and infiltrated recently as well."

On Tuesday, Apple announced that a small number of the company's systems had been compromised and infected with malware. The attack involved an exploit for a vulnerability in the Java browser plug-in that was served from a website for software developers, the company said.

Later on Tuesday, citing an unnamed source close to Facebook's investigation into the attack, AllThingsD reported that the compromised website was likely iPhoneDevSDK.com, a community forum for iOS developers.

Ian Sefferman, one of the iPhoneDevSDK administrators confirmed Wednesday that the website had been compromised, but said that he learned about it from the press and not the affected companies.

"We were alerted through the press, via an AllThingsD article, which cited Facebook," he said in a message posted on the forum. "Prior to this article, we had no knowledge of this breach and hadn't been contacted by Facebook, any other company, or any law enforcement about the potential breach."

"Immediately, we were in contact with Facebook's security team, including Joe Sullivan, Facebook's Chief Security Officer, and his team, to learn what they knew," he said. "We also contacted Vanilla, our amazing forum hosts, to ensure the problem was not with their software."

The hackers managed to compromise an administrator account and used it to alter the site's files and insert malicious JavaScript into them, Sefferman said. "That JavaScript appears to have used a sophisticated, previously unknown exploit to hack into certain user's computers."

It is very likely that iPhoneDevSDK was the common gateway for the attacks against Twitter, Facebook and Apple, Sean Sullivan, a researcher at security firm F-Secure, said Wednesday via email.

Sullivan believes that while it's possible the attackers did their homework and researched in advance who visited the forum, it's also possible that they never expected to hack into Twitter, Facebook and Apple systems in particular. "In fact, that might have been their undoing -- they caught too many big fish with strong security teams," he said.

Twitter did not immediately respond to an inquiry sent Wednesday seeking confirmation that the attack against the company involved a previously unknown Java exploit hosted on iPhoneDevSDK.

The exact timeline of the attack against the Web forum is not clear, but it seems that the hackers removed the exploit on Jan. 30, Sefferman said.

Earlier this week, Sullivan said in a blog post that F-Secure obtained some samples of Mac malware uploaded to VirusTotal on Jan. 31, one day before Twitter's hack announcement, that might have been used in the attacks.

One of the samples was a backdoored SSH daemon binary that was very likely dropped by an exploit. The others were one-line Perl scripts that run at startup and open a reverse shell to a remote server, he said.

The URLs contacted by these scripts included a domain that misspelled "Apple Corp"; a domain that sounded like the name of a digital consulting company; and a domain that pretends to be a cloud storage service.

Given the audience of iPhoneDevSDK -- iOS developers -- the attack most likely targeted Mac OS users, Sullivan said Wednesday. However, some old samples of Windows malware that contact one of the same domains as the new Mac backdoors have also been identified. So the same attackers also targeted Windows users in the past, he said.

This type of attack that involves infecting a website frequently visited by a targeted group of people -- for instance, employees of companies in a certain industry, political and human rights activists supporting a certain cause -- is referred to in the security community as a "watering hole" attack, because the method resembles the hunting habits of predatory animals who wait near pools of water for prey to come and drink.

Sefferman described iPhoneDevSDK as "the most widely read dedicated iOS developer forum." The site does not publicly list the exact number of registered users, but it has sub-forums dedicated to certain topics that have tens or hundreds of thousands of replies.

Sullivan believes that, given the popularity of iPhoneDevSDK, many other companies were probably affected by this attack as well, but have yet to come forward or even discover the malware on their employees' systems.

Companies who develop iOS apps should probably ask their employees if they visited iPhoneDevSDK in recent months and should analyze their work computers for malware.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags online safetyf-securetwitterspywareExploits / vulnerabilitiesmalwareOracleFacebookAppleintrusionsecuritydata breachDesktop security

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?