In the spate of large companies hacked in recent weeks, it seems that many of them have one thing in common. Many have visited one compromised website specifically devoted to sharing information related to mobile development — and it’s not just tech companies visiting the site.
The site is called iPhoneDevSDK, according to sources close to the Facebook hacking investigation. It’s a hub for many companies concentrated on the mobile space.
After Facebook employees visited the mobile development site in recent weeks, malicious code injected into the HTML of the site used an exploit in Oracle’s Java plug-in to infect employee laptops, as the company divulged last Friday.
When asked for comment on the site in question, Facebook referred us back to the company’s blog post from last week, without going into further detail.
Of note: Do not visit this site, as it may continue to be compromised. While it’s potentially risky to publicize the website, AllThingsD is providing the name to inform readers, developers and organizations interested in mobile development in order to keep them from becoming infected.
Update 4:22 pm PT: Ian Sefferman, owner and operator of the site iPhoneDevSDK, has reached out to AllThingsD and provided the following statement:
“We’re investigating Facebook’s reports that iPhoneDevSDK was hosting an exploit targeted at Facebook employees. We’re actively ensuring that is not the case. Facebook originally noted that they immediately reached out to other affected companies, but we were never contacted by Facebook, any other company, or law enforcement. Our users’ security is incredibly important to us and we’ll be sure to follow the investigation through to completion.”
When asked for a response to Sefferman’s statement, Facebook declined to comment on an ongoing investigation.
This is likely also the website responsible for the recent hack of Apple employee laptops, as the company announced on Tuesday. “Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers,” the company said in a statement to AllThingsD provided earlier this morning.
Apple did not immediately respond to a request for comment on whether or not the iPhoneDevSDK site was involved in its hack.
The site could also be the common thread behind the recent Twitter hack, which potentially compromised the accounts of 250,000 Twitter users. In the language of Twitter’s blog post, head of information security Bob Lord reminded users to disable Java inside of their browsers, a hint that this could be related to the Facebook and Apple hacks.
Apple also released a security update software patch to users on Tuesday which addresses the Java exploit, another indication that the iPhoneDevSDK site is responsible for the company’s hack.
Twitter did not respond to a request for comment.
The hack is different from many familiar modes of attacking individual users and companies. It’s called a “watering hole” attack, in that it’s launched from a centralized, popular location that many people visit across multiple industries.
“Everyone knows about spearphishing now,” said Joe Sullivan, Facebook’s chief security officer, in an interview last week with AllThingsD. “But being able to target a site on the Internet — it’s a really interesting idea that you could target people from there. You don’t have to get someone to open the email or click on the link.”
Or as independent security researcher Ashkan Soltani told us last week: “Rather than attack individual developers, they’ve poisoned the well.”
This type of attack has been used in other recent high-profile hacks. In December of last year, a watering-hole hack was discovered on the website of the Council of Foreign Relations, a Washington, D.C.-based think tank whose influence is widespread in “journalist, business and education circles.”
But the attack on mobile developers is potentially even more worrisome: The iPhoneDevSDK website isn’t just for tech-focused companies working on mobile apps. It’s an iPhone-specific site that any organization interested in mobile could benefit from visiting. And as Facebook said in its recent blog post, “Facebook was not alone in this attack. It is clear that others were attacked and infiltrated recently as well.”
The implications loom large. As the tide has shifted over the past few years and more people have moved to using smartphones and tablets for their computing needs, countless numbers of major companies and organizations have invested heavily in mobile application development. Imagine how many visited the site and could unknowingly be affected.
“It’s the type of forum that anyone who was building apps for mobile devices would visit,” Facebook’s Sullivan told AllThingsD. “It’s pretty popular for sharing tips, tricks, etc.”
So going forward, the question now isn’t which company is next, but rather which one is willing to admit it next.
“I truly believe we’re going to see quite a bit more of these announcements as companies start to get smarter and look more closely at their systems,” Soltani told AllThingsD in a previous interview.
Now, “it’s not a matter of whether or not you’ve been compromised,” Soltani said. “It’s whether you have the expertise to tell.”