Send a carrier pigeon —

Dev site behind Apple, Facebook hacks didn’t know it was booby-trapped

iPhoneDevSDK says it wasn't contacted by the companies or law enforcement.

iPhoneDevSDK—the site apparently responsible for the hacks at Facebook, Apple, and Twitter—says it was not aware it was being used to attack visitors until it read press reports this week. In a news post (do not click if you're wary of security breaches) on Wednesday, site admins said they had no knowledge of the breach and were not contacted by any of the affected companies. Though, iPhoneDevSDK is now working with Facebook's security team in order to share information about what happened.

"We were alerted through the press, via an AllThingsD article, which cited Facebook. Prior to this article, we had no knowledge of this breach and hadn't been contacted by Facebook, any other company, or any law enforcement about the potential breach," wrote iPhoneDevSDK admin iseff.

"What we've learned is that it appears a single administrator account was compromised. The hackers used this account to modify our theme and inject JavaScript into our site. That JavaScript appears to have used a sophisticated, previously unknown exploit to hack into certain user's computers," he went on. "We're still trying to determine the exploit's exact timeline and details, but it appears as though it was ended (by the hacker) on January 30, 2013."

As a precautionary measure, the site has reset the forum passwords for all its users, though it says there's no evidence any data was taken.

A person with knowledge of recent attacks that hit Apple, Facebook, and Twitter told Ars all three companies were targeted using the same iPhoneDevSDK page. Such techniques are often referred to as "watering hole" attacks. Just as predators camp out at ponds in wait of thirsty prey, hackers often infect sites frequented by employees of the companies they want to penetrate.

Apple has not explicitly pointed towards iPhoneDevSDK as the site that led to its own hack, announced on Tuesday afternoon. The company did say, however, it was hacked in the same way as Facebook. Apple hinted in an e-mailed statement to the media that an unnamed "website for software developers" was involved. This has led to many observers tying the two together—an unconfirmed, but not unreasonable assumption.

The security breaches at both companies were due to an undocumented vulnerability in the browser plugin for Oracle's Java—an increasingly common problem for those running Java on their machines. This is part of why Apple removed the Java plugin from all Mac-compatible Web browsers in late 2012, then blacklisted Java browser plugins on OS X twice already this year in order to prevent critical exploits. But many users—particularly developers—still have uses for the Java plugin, potentially putting them at increased risk for attack.

"The attack was injected into the [third-party] site's HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected regardless of how patched their machine was," Facebook Chief Security Officer Joe Sullivan told Ars last week.

Bloomberg News is reporting that Apple, Facebook, and Twitter are just three of 40 companies targeted by attackers located in Eastern Europe.

Channel Ars Technica