Apple, Facebook employees hacked via website malware, Java vulnerability

Apple, Facebook employees hacked via website malware, Java vulnerability

Summary: Facebook and Apple made headlines recently when they announced that employees at both companies had been hacked. It appears that the hacks originated from an infected theme at a popular iPhone SDK forum which exploited a zero day Java vulnerability.

SHARE:
TOPICS: Apple, iOS, iPhone, Malware
13
Apple, Facebook hacked via malware in iPhone SDK website - Jason O'Grady

ZDNet's Zack Whittaker detailed the waterhole attack that was injected into a popular iPhone Dev SDK website (no link love due to the potential threat) which compromised the computers of visiting employees from Apple, Facebook (and potentially Twitter, too) using a zero day exploit in the Java web plug-in.

A note posted at the site reads (full text below):

iPhoneDevSDK has learned it was used as part of an attack whose victims included large internet companies. We have no reason to believe user data was compromised, but to be safe, we've reset all user passwords.

Apple on Tuesday revealed that some employees' computers had been hacked, but that no data were exposed. According to a statement:

"We identified a small number of systems within Apple that were infected and isolated them from our network. There is no evidence that any data left Apple"

The breaches are now believed to have occurred when employees visited the iPhone Dev SDK website, which was infected with zero day malware that exploited a vulnerability in the Java browser plug-in, installing malware on their Mac computers.

Apple yesterday released Java for OS X 2013-001 which uninstalls the Apple-provided Java applet plug-in from all web browsers. Users must then download the latest version of the Java applet plug-in from Oracle in order to use Java applets. 

Bloomberg reports that the hacks were the work of an Eastern European gang of hackers attempting to steal company secrets, citing "two people familiar with the matter."

I want to echo Zack's warning to not visit this site in as it may still contain active malware that could lead to infection.

Most importantly: Security holes in Java have been responsible for a number of high-profile attacks recently. All Mac users should install Java for OS X 2013-001 immediately and only install the Oracle Java plug-in if you absolutely need it. Also, heed the rest of Zack's warnings and precautions here, which include:

  1. Remove Java immediately
  2. Check your logs, history, browsing records
  3. Run a full, network-wide malware sweep
  4. Take future precautions: Virtualize and isolate risky software

If you run a WordPress blog, patch it up to the latest release, harden it, and never install themes from unknown/insecure sources. If your Wordpress blog has been infected this post will help you clean it.

Update: Eric Romang has posted a forensic timeline of the attacks.

Here's the full text of the warning at the iPhoneDevSDK:

Today, we were alerted that our site was part of an elaborate and sophisticated attack whose victims included large internet companies. We were alerted through the press, via an AllThingsD article, which cited Facebook. Prior to this article, we had no knowledge of this breach and hadn't been contacted by Facebook, any other company, or any law enforcement about the potential breach. You can read more about the attack via Facebook's blog post.

As the most widely read dedicated iOS developer forum, we're targeted for attacks frequently. Security is a top priority for us, which is one reason why we switched to Vanilla Forums to host our site last year. Vanilla manages security like pros, and I should be clear that -- as best we can tell right now -- this attack has nothing to do with their software.

Immediately, we were in contact with Facebook's security team, including Joe Sullivan, Facebook's Chief Security Officer, and his team, to learn what they knew. We also contacted Vanilla, our amazing forum hosts, to ensure the problem was not with their software.

What we've learned is that it appears a single administrator account was compromised. The hackers used this account to modify our theme and inject JavaScript into our site. That JavaScript appears to have used a sophisticated, previously unknown exploit to hack into certain user's computers.

We're still trying to determine the exploit's exact timeline and details, but it appears as though it was ended (by the hacker) on January 30, 2013.

As with Facebook, it's important to stress that we have no reason to believe user data was compromised.

Just to be sure, we've reset all users' passwords. Please use our Forgot Password feature the next time you log in to reset your password.

We're continuing to work with Facebook, Vanilla, other targeted companies, and law enforcement to find out who is behind this sophisticated attack.

We're very sorry for the inconvenience -- we'll work tirelessly to ensure your data's security now and in the future. I want to thank Vanilla Forums for their help in the matter and for keeping the site secure, as well as Facebook for their help quickly after we reached out.

Topics: Apple, iOS, iPhone, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • this cannot be

    Everything Apple is impervious to such devices!
    slickjim
    • Oracle, not Apple

      I think you meant to say Oracle, not Apple. It was their software. Apple doesn't bundle Oracle's Java any more.
      edelbrp
      • Yep

        Funny how Apple always complains about 3rd party software platforms and technologies, yet they never even attempt to do their part to solve any problems or promote compatibility. They are a cult of wannabe monopolists.

        All they need to fix this type of problem is "confirm to run" functionality with an appropriate warning message at the BROWSER (or even OS) level - something plugin vendors obviously don't have any control over. So either Apple is lazy, too dumb to find such a solution, or (most likely) they are purposely neglecting to protect their users from this type of preventable exploit, in order to facilitate their agenda of declaring war with all non-Apple technologies. Sure there's some blame in Oracle's area here too (nearly unpreventable), but Apple knows they have the marketing and (faked) trustability to simply blame the other guy for such issues. Shame on you and your propaganda wars, Crapple.
        Shin Chan
  • make it more obvious

    Boasting created a culture of naïveté that hackers depend on.
    Vapur9
  • curious

    The site used for distributing this attack claims it was JavaScript that was used to infect the victims. So was it JavaScript only or they ignore that JavaScript was used to inject Java applets.

    For if it was JavaScript the problem becomes even more serious...
    danbi
    • JavaScript

      If it's "just JavaScript", then it's Apple's fault entirely.
      Shin Chan
  • More ZD crap

    "a zero day Java vulnerability"

    Whatever that's supposed to be.
    Oscar Goldman
    • That's a generic ZDNet-blogger speak for

      "I-really-don't-know-it-is-but-it-sounds-bad!"

      I'm pretty sure that bloggers use this term when they are either trying to impress their audience, or they really don't know what "zero-day" means. They should just say it is a previously unknown Java vulnerability.
      Mr.B.
    • zero day

      Maybe something expecting a 1 - 366 Julian day had a workaround for if "0" was returned? Not sure. Don't really deal with Java.
      ForrestLord
    • Techie Jargon

      It just means that the security hole is newly discovered, and developers have had "zero days" to fix it. Yes, people use it to sound intelligent.
      Shin Chan
  • Blatant Technology Bias

    I love how "OMGOMGOMG REMOVE JAVA!!!!!!" is always the top "solution" to a problem like this. Because, whenever we find a security exploit, the best solution is ALWAYS to disable the technology it uses! DUHHHH. Of course this is probably coming from Apple zombies who will make any excuse they can think of to protect their religious belief that this company is somehow "different".

    If people at Apple (or any of these technology bigots) weren't so busy trying to brainwash ignorant users, maybe they'd have thought of doing what some Chrome browser plugins allow you to do with browser extensions? All you need to do is disable browser plugins until a user clicks or confirms that they want it to run, and most of these problems will be sufficiently mitigated.

    But don't expect the "innovators" at Apple to come up with anything like that. They're too busy trying to emulate early Microsoft's success, apparently still butthurt that they failed to get their own semi-monopoly. (Look at the army of lawyers and lawsuits they're using to try and defeat their competition. Crooks-- all they can do is marketing, copy previously invented technology, and sue their competitors!)
    Shin Chan
    • Remov\ing java isnt just the solution to this poroblem, its the solution

      for the next ten too. I shocked that apple and fb both don't have java banned from corporate devices by enforced security policy. There's no good reason to allow it anywhere on a corporate network. There's no good reason to allow it on any personal devices either. It's as insecure as flash.
      Johnny Vegas
      • FUD Nonsense, and Technical Ignorance...

        Prove it's less secure.
        (You can't-- you're an idiot! In the grand view of browsers, OSes, and other software, even Flash has a relatively good record. You're just another technology bigot and/or a Steve Jobs FUD parrot.)

        There are also NUMEROUS browser vulnerabilities out there--go look. Should we ban browsers? What about .NET? How about AJAX technologies? There are lots of security risks there. How about "worm" viruses? Quick, disable the Internet!

        In your world, we'd have no development tools left at all because they'd all be blocked or banned. Never mind the million+ Java developers who have proven that Java development is more efficient for certain types of development (particularly, enterprise and web server sw). Never mind the million+ Flash developers who have dominated the user experience market because the quality and efficiency of their work surpassed that of competitors for years, and continues to in many ways. Never mind the fact that Java dominates the enterprise software industry, and the vast majority of major enterprise quality software products are developed on this platform. And definitely never mind the fact that blocking these two platforms (heck lets throw .NET in there too, it's no different than Java!) will negatively impact user choice and break countless software assets.

        Just remove it all-- no loss or negative impact at all, right? You're a fool!
        Shin Chan