iTunes Connect bug logs developers into random Apple account, displays wrong apps
Many developers logging into Apple's iTunes Connect portal on Thursday found themselves presented with a a peculiar and potentially crucial error: The site is displaying the username, company, and apps of someone who is not them.
After logging into the iTunes Connect website, many developers found that the login credentials displayed were for someone else. When browsing to the "My Apps" section, developers were also shown applications that are not theirs.
AppleInsider was able to verify the error with a developer who logged in, only to see the information for a random person who works for the Sherwin-Williams Company.
The applications displayed when logged in were for an entirely different company, Kelly Services, Inc., suggesting that the username may not be associated with the apps displayed.
After logging out and attempting to log back in, the developer was presented with a message saying that iTunes Connect is not available.
The bug first appearing Thursday morning appears to be widespread, as a number of developers took to Twitter to show how the glitch was affecting them. For example, Paul Haddad of Tapbot, maker of Tweetbot, logged in to see a series of H&R Block tax applications, and received numerous responses from other developers experiencing similar issues.
The error allowed developers to see private email addresses and other details of people they were logged in as, presenting the issue as a major security concern. It's unclear whether the login error allowed developers to actually make changes to others' accounts.
iTunes Connect is the gateway developers use to make their applications available for sale on the iOS and Mac App Stores.
After logging into the iTunes Connect website, many developers found that the login credentials displayed were for someone else. When browsing to the "My Apps" section, developers were also shown applications that are not theirs.
AppleInsider was able to verify the error with a developer who logged in, only to see the information for a random person who works for the Sherwin-Williams Company.
The applications displayed when logged in were for an entirely different company, Kelly Services, Inc., suggesting that the username may not be associated with the apps displayed.
After logging out and attempting to log back in, the developer was presented with a message saying that iTunes Connect is not available.
The bug first appearing Thursday morning appears to be widespread, as a number of developers took to Twitter to show how the glitch was affecting them. For example, Paul Haddad of Tapbot, maker of Tweetbot, logged in to see a series of H&R Block tax applications, and received numerous responses from other developers experiencing similar issues.
The error allowed developers to see private email addresses and other details of people they were logged in as, presenting the issue as a major security concern. It's unclear whether the login error allowed developers to actually make changes to others' accounts.
iTunes Connect is the gateway developers use to make their applications available for sale on the iOS and Mac App Stores.
Comments
Yea, this was mentioned at the end of Apple's earnings call. Some analysts warned investors that this might put a drag on Apple stock's upside in the next 12-96 months, and urged their clients to sell their APPL holdings immediately. Another group of analysts predicted that Samsung and Al's Home Furnishings in southern Nebraska might move into this space and give Apple a run for its money in the developer portal arena.
Caveat emptor, indeed.
Uh-oh!
Somebody made a boo boo.
Wouldn't want to be Eddy Cue today.
i suppose the security risk is directly connected to the morals of the developer.
Webobjects is one crazy complicated piece of legacy software.
Actually this is the first phase of compliance with China's new backdoor policy.
Webobjects is one crazy complicated piece of legacy software.
????
WebObjects, especially the 4.0 and earlier, is basically the same stuff as OS X and iOS are built on, with a different presentation layer. WO5 is the same but moved to java. And not that overly complicated either.
It is extremely complicated especially the managed state functions which is what must have gone wrong in this instance.
Actually, I think this is a pretty big "Oops". Who needs hackers when Apple can't protect iTunes Connect accounts?
prolly and incorrect indexing on a table in SQL backend
It happens, the real question is how it made it past bench testing and QA, layers that are supposed to protect against this.
Server side software is a lot more complicated to write than client side software. On the client you have only one user and no scalability issues.
This kind of bug is the answer to people who say we should put everything in the cloud and just have dumb terminals as devices, as against running local software and just syncing your documents to the cloud. The later is easier to code by an order of magnitude. Maybe at some point in the future when programming languages have improved a lot, a pure cloud world will be possible.
It happens, the real question is how it made it past bench testing and QA, layers that are supposed to protect against this.
Something like this can happen unexpectedly but usually only under heavy load. It may not be related to the application code itself. The fault might be within Webobjects. Something like a duplicate primary key was assigned or erroneous session variable stored in the database can inexplicably occur, sometimes cascading through the application logic causing all sort of issues. Often the problem is not reproducable or is something that wouldn't even be detected in normal QA. When you have thousands of simultaneous users online, odd stuff can happen.
Server side software is a lot more complicated to write than client side software. On the client you have only one user and no scalability issues.
Not true. Server side software is a lot easier to write because the environment is more controlled (only one server OS, components all validated against each other. This is why they virtualize.) and a lot of interfaces are private and internal (no security issues, out-of-date clients, differing implementations, etc.)
Such bugs will always be an issue with current server design.
I hope the hackers for hire aren't upset enough to sue Apple. 8-)8-)