Writing

Feed Software, technology, sysadmin war stories, and more.

Monday, July 22, 2013

Apple's dev center seems like a glorified web BBS

A couple of years ago, I decided to experiment with developing for iOS devices and signed up for Apple's "dev center". I paid the $100 and got to write code to run on my own devices. It didn't work out, however, and so I never released anything and let it lapse. I still have an account in this system, but it's not authorized for anything.

That was enough to earn me membership in this particular exclusive club this evening:

Apple dev website update

Yep, they had a huge security hole, and basically freaked out and pulled the plug. The site has been down for several days at this point. There have been a bunch of stories about it all over the usual sources for nerd news, but this is the first official notification I've received directly from them.

The actual hole seems to be rather amazing. If certain things I've been reading are to believed, it amounts to a remote command execution vulnerability. Basically, you can say "hey webserver, run this shell command", and it will do exactly that.

Want to see more? Check out this Struts project document. Notice how it practically tells you how to drive a truck through the hole.

In talking with a friend about this situation tonight, I tried to figure out exactly what this site is supposed to do. I never really used it that much. He said that they provide beta downloads, documentation, and forums. There's also some kind of way to configure all of the things which go with adding an app to the store and managing the business side of that.

This all seemed very familiar. Beta file downloads? That's a file transfer section. Documentation? That's the library. Forums? Those are the message boards. These are all things we had back in the days of BBSing!

So, what about the whole "app store" management angle? That's easy. That's a separate program written specifically for the job which augments the rest of the system. It doesn't really connect to it in any meaningful way beyond the base system saying "this is user so and so, have fun!".

We used to call them doors. Most doors were things like games (Trade Wars 2002, that sort of thing), but there were a fair number of utilities. If you wanted to download QWK packets, for instance, that's how you usually did it.

It sure sounds like everything they did on this site could have existed 20 years ago as a BBS. Sure, it would have involved terminal-mode access and a bunch of typing and very little clicking, but I bet it would have been mighty fast and rather effective.

I also suspect it wouldn't have been compromised just by having someone ask the server to run nefarious commands which it gladly executed on their behalf.

Just how often did a BBS get cracked through the front door? It seems like the few "hacks" I heard about in those days all turned out to be inside jobs, like a co-sysop gone bad, or a software author with a chip on their shoulder. It just worked differently back then.

Sometimes I wonder if we will ever wind up back in that sort of world.