AntiSec posts passwords from Apple survey server (updated 5x)

AntiSec posts passwords from Apple survey server (updated 5x)

Summary: AntiSec has hacked an Apple server and has posted the login credentials for 26 admin accounts for a machine used to conduct surveys for the Cupertino computer maker.

SHARE:
TOPICS: Servers, Apple, Security
38

WSJ reports that hacking group "AntiSec" (short for Anti Security) has hacked an Apple server. To prove its point, the group posted the username and password combos for 27 root and admin accounts from the users table in a mysql database on a machine apparently used to conduct surveys for the Cupertino computer maker.

Here's a list of the compromised accounts (sorry no link love). The passwords were posted in a similar fashion, immediately below it.

AntiSec is comprised of hackers from both the online vigilante group Anonymous and hackers from the now-defunct Lulz Security, according to the report.

The hackers said in a statement posted to Twitter that they had accessed Apple's systems due to a security flaw used in software used by the Cupertino, Calif.-based gadget maker and other companies. "But don't worry," the hackers said, "we are busy elsewhere."

The breached server (http://abs.apple.com/fsurvey/survey.html?l=en) appears to be one of Apple's servers for conducting technical support follow-up surveys. Here's an image from the Google cache:

Apple hasn't commented on the extent of the breach, so it's unclear whether any customer data was compromised.

Update: 9to5Mac thinks that AntiSec's Apple claim is relatively benign, noting that LulzSec claimed responsibility for breaching iCloud on June 21:

After mapping their internal network and thoroughly pillaging all of their servers, we grabbed all their source code and database passwords, which we proceeded to shift silently back to our storage deck.

Topics: Servers, Apple, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

38 comments
Log in or register to join the discussion
  • Survey server's hack is good work (#AntiSec movement better be left alone

    ... to expose as many vulnerabilities as possible).<br><br>However, happily to Apple, their main assets like iTunes are ran on WebObjects, which is nothing like simple Apache HTTP+MySQL+PHP -- it can not be hacked and cracked via known "SQL injection" tricks.<br><br>For now, WO was never hacked (there was once tiny number of accounts information hacked, but this was done, most probably, on client-side, not on server side).<br><br>Lets see what will happen to iCloud; for now, the claimed breach of security did not result in any leaks of iCloud users' data or their authentication credentials (most probably, since it is done via WebOjects).
    DDERSSS
    • WebObjects. Get real. That thing's still around?

      @DeRSSS
      Isn't WO based on that <i>other</i> technology that Apple now shuns? Oh yeah, it is based on <b>Java</b> - which is also dying.

      Oh, and Apple knows. They dropped WebObjects from OS X 10.6 (Snow Leopard). Go figure.

      If you want to see how you avoid SQL injection look to C# with LINQ.

      In PHP writing vulnerable code is unfortunately also the easiest way: String interpolation. That is why you see so many PHP sites compromised.

      In Java everything is hard, so writing good or bad code takes about equal amount of work. Until you need to write more complicated queries. Then it becomes easier to just synthesize the SQL strings again. And then comes the vulnerabilities.

      With LINQ (C# or VB.NET) it is *always* easier to write non-vulnerable code. Even for complex queries. LINQ erases the differences between SQL dialects, it provides strongly typed queries and it fully supports intellisense.

      Time to drop those old error prone technologies and enter the 21st century.
      honeymonster
      • RE: AntiSec posts passwords from Apple survey server (updated 4x)

        @honeymonster

        And Apple has a technology that maps data storage to server queries also.

        I wlll leave you to learn about the modern world.

        Personally I found C# data access to be primitive compared to the Mac based DB dev systems I was using in the mid 80's.

        LINQ looked promising as it would be like moving up to the 80's for me.

        As for *ALWAYS* - I suggest you learn more technologies than the ones you read about in the mainstream IT fashion journals.
        richardw66
      • RE: AntiSec posts passwords from Apple survey server (updated 4x)

        Why the heck are they storing the password instead of a hash of them? You don't need to store passwords for authentication purposes
        nomorebs
      • How the world looks outside the RDF

        @richardw66

        <i>And Apple has a technology that maps data storage to server queries also.</i>

        Of course they do. A bloated 80'ties style mess which *also* encourage bad and vulnerable code by using strings to create queries, predicates. Which was what led to this quagmire.

        Oh, and WebObjects (and Enterprise Object Framework along with it) is considered a "legacy" technology by Apple: <i>Important: The information in this document is obsolete and should not be used for new development. Links to downloads and other resources may no longer be valid.</i>

        WebObjects was what DeRSSS claimed was superior. Deprecated.

        Outside the RDF we have moved on. We are now using strongly typed queries and robust persistence with no coding-with-strings in sight.
        honeymonster
      • DeRSSS wrote something that wasn't true?

        @honeymonster
        That's weird. DeRSSS has built up a reputation of always being right when talking about how superior Apple technology is. He correctly stated that Apple invented LightPeak so I'm pretty sure he is also correct that WebObjects are superior to everything else. If Apple has deprecated WebObjects, it is only because they are releasing iWebObjects which will be EVEN BETTER!!! YEAH!!!
        woulddie4apple
      • I did not write that 'WebObjects is superior'; however, it is superior to

        @honeymonster: ... most of PHP + MySQL applications in terms of safety.
        DDERSSS
      • WebObjects

        @DeRSSS
        WebObjects are still based on text queries/predicates.

        What it has going for it is <i>lack</i> of string interpolation. When you have to concatenate strings to create a text query it is only marginally harder to use proper parameterized queries. But you still operate in text, and when the parameters do not suffice (like when you need the "in" operator) the temptation to just create the query in text is always there.

        There's still no comparison to LINQ where you get to write concise queries, strongly typed even when e.g. joining tables/entities. No strange parameters, no strange query strings with placeholders. Just portable queries.
        honeymonster
      • RE: AntiSec posts passwords from Apple survey server (updated 4x)

        @honeymonster I take it neither of you have seen even an old PHP framework. Just about all of them stop SQL injection attacks. You're trying to compare the LINQ framework to a language. It all comes down to the developer. The same guy can write raw HTML in C# just as easily as they can in PHP. That's exactly why. Net apps were the targets of SQL injection attacks galore a few summers ago. Interesting thing is that I hear most .net devs moving on from Linwood to things that are more Java like in nature. Well at least the teally good devs.
        storm14k
      • RE: AntiSec posts passwords from Apple survey server (updated 4x)

        @honeymonster<br><br>Enterprise java is not dying. Avoiding injection through LINQ or other ORM solutions is not new. JPA (Java Persistence API) is older than linq and provides specifications for Enterprise Java ORM solutions, and does the same thing... What you've written proves that you've never used Java for SQL beyond simple JDBC. Some people still do that, but they're stuck in 2004. It's 2011 now, mature ORM solutions like Hibernate have been out for years and years now and are the norm. Hibernate can do every relationship that Linq can do, plus built in transparent caching. <br><br>I'm sorry that you're not educated on Java. Please consider learning about EJB before you make assertions that will make you look dumb to anyone who actually works with EJB. From my personal experience, having worked with both Linq and Hibernate fairly extensively, it's easy to write concise queries for both. See JPQL, it's a wholely object-based querying language that JPA will translate to parameterized SQL.<br><br>It's still possible to write injectable C# code if you don't use Linq or prepared statements. Similarly it's still possible to write injectable PHP or Java without prepared statements. Linq is a nice framework, but face the truth (or continue looking ignorant), ORM is not a Microsoft invention, Linq does many things that Hibernate did before it (hence why NHibernate, the .Net version continues to be very popular). The truth of the matter is there is no one true technology that does this, many technologies can, and do do the same thing well. The mark of a good developer is language agnosticism and a willingness to learn about more than one platform.
        <br><br>As far as webobjects goes... I don't use it. The java port came out in what 2005, at which point something better, I.E. EJB was already available.
        snoop0x7b
      • RE: AntiSec posts passwords from Apple survey server (updated 4x)

        @honeymonster
        Java dying? Really? Wow, quite a statement!
        Eleutherios
      • RE: AntiSec posts passwords from Apple survey server (updated 4x)

        @honeymonster Bah, time to drop all this SQL nonsense and go back to DBase. :-)
        jgm@...
      • RE: AntiSec posts passwords from Apple survey server (updated 4x)

        @snoop0x7b

        <i>Enterprise java is not dying. </i>
        No, it is just relegated to legacy status. Withering slowly away.

        <i>Avoiding injection through LINQ or other ORM solutions is not new.</i>
        Ah, but your Java ORM solutions only protect against injections in the basic scenarios. Enter a little complicated query - or even just a projection - and you are back to string mongering. Not a specific SQL dialect; but vulnerable string synthesis if you are not careful. Note how that is *avoided* using LINQ.

        <i>JPA (Java Persistence API) is older than linq and provides specifications for Enterprise Java ORM solutions, and does the same thing...</i>
        It does *some* of the same things. Poorly.

        <i>What you've written proves that you've never used Java for SQL beyond simple JDBC.</i>
        I been there with Java+Hibernate, pal. Several big projects.

        <i>It's 2011 now, mature ORM solutions like Hibernate have been out for years and years now and are the norm.
        </i>
        Yes, it certainly is the norm, as it is quite good. Very good, indeed, when you consider the card they were delt by Java.

        <i>Hibernate can do every relationship that Linq can do, plus built in transparent caching.</i>
        Yeah - that is exactly it. It have *never* seen a Hibernate solution perform beyond mediocre. Hibernate absolutely <b>needs</b> caching to be tolerable. And with caching comes complexity. I've been there.

        <i>I'm sorry that you're not educated on Java. Please consider learning about EJB before you make assertions that will make you look dumb to anyone who actually works with EJB.</i>
        What's with the personal attacks? I have written my share of Java code and I have butted enough head with Hibernate. Enough with your insults!

        <i>From my personal experience, having worked with both Linq and Hibernate fairly extensively, it's easy to write concise queries for both.</i>
        Me too, and nothing beats LINQ with EF (or even NHibernate) at this time.

        <i>See JPQL, it's a wholely object-based querying language that JPA will translate to parameterized SQL.</i>
        You don't get it. JPQL is just *another* string based query language. No strong typing, no editor assistance and (worse) in many situations it is *still* easier to just concatenate the parameter value. And with that the injection vulnerabilities.

        <i>It's still possible to write injectable C# code if you don't use Linq or prepared statements. </i>
        Yes. And also if I use plain C or assembly language. But with LINQ, writing correct, non-vulnerable queries are always <i>easier</i> then writing the vulnerable version. That's the difference.

        <i>Similarly it's still possible to write injectable PHP or Java without prepared statements.</i>
        Yes

        <i>Linq is a nice framework, but face the truth (or continue looking ignorant), ORM is not a Microsoft invention,</i>
        No, Microsoft was late to the game with an ORM. LINQ is not just an ORM, though. Actually LINQ is not an ORM at all. Entity Framework which <i>uses</i> LINQ is an ORM.
        Did you say you had a lot of experience with LINQ?

        <i>Linq does many things that Hibernate did before it</i>

        No. LINQ is language integrated query and has nothing to do with databases at all. Hibernate is all about databases. Did you say you had experience with LINQ?

        <i>(hence why NHibernate, the .Net version continues to be very popular).</i>
        No, NHibernate became popular because Microsoft was late to the game with an ORM (like LINQ2SQL or Entity Framework).

        <i>The truth of the matter is there is no one true technology that does this, many technologies can, and do do the same thing well.</i>
        The truth is that among the mainstream strongly typed languages, only C#, VB.NET has anything like expression trees necessary for allowing strongly typed queries. Some of the dynamic languages come close by cleverly using late binding, like e.g. Rubys ActiveRecord.

        <i>The mark of a good developer is language agnosticism and a willingness to learn about more than one platform. </i>
        Agree. You can start here:
        http://msdn.microsoft.com/en-us/library/bb308959.aspx
        honeymonster
    • Thanks for the authoritative and informative post

      @DeRSSS
      I will ignore everywhere you wrote "probably" and go around the Internet claiming the things you wrote as 100% undeniable fact. I'm not sure exactly why you wrote "probably" in so many places because it almost sounds like you don't know any of this and are simply making it up. Probably.
      woulddie4apple
      • Troll

        @woulddie4apple
        DDERSSS
      • Are you confident enough to remove all your &quot;probablys&quot;?

        Go ahead. Edit your post and remove all the "probablys" if you are so confident in what you wrote. If you aren't, that makes you the troll, not me!
        woulddie4apple
      • RE: AntiSec posts passwords from Apple survey server (updated 4x)

        @woulddie4apple

        If you don't know the definition of the word "troll", don't use it, troll.

        And educate yourself about LightPeak.
        DeusXMachina
  • Apple has much to learn about security

    Historically it hasn't been worth targeting Apple's systems and products. But Apple's own PR and marketing hype has made the corporation a target, ensuring high-profile status for any incident.
    Tim Acheson
    • You have much to learn about much

      @Tim Acheson<br><br>Blah blah security through obscurity blah blah stated like it is an original interesting idea blah blah blah.<br><br>BULL.
      DeusXMachina
  • Hope this shakes them up.

    I hope this shakes up and wakes Apple up from their delusional belief that they can do no wrong, thanks to the Omnipotent Aura of Lord Jobs. Get your systems well designed and secure, Apple.
    kraterz