Imagine you’re a developer, who has decided to try to make your fortune selling apps on Apple’s iOS App or Mac App store.
One thing that is obviously important is to have an easy way to upload new versions of your app so the guardians of Apple’s walled garden can cast their eyes over and (hopefully) grant approval for your software to be made available. Also, you will want a way of tracking sales and income.
Naturally, Apple has developed a system for precisely this purpose – it’s called iTunes Connect. And, quite rightly, Apple requires developers to enter their username and password to access their iTunes Connect accounts.
After all, you wouldn’t want a stranger having the ability to delete your apps, or upload bogus version of your apps, or peruse your sales graph, would you?
No, I doubt you would.
But, unfortunately, multiple iOS and Mac App Store developers have reported that that when they tried to log into iTunes Connect they were not taken to their own account, but that of a completely random *other* developer.
Whether unauthorised users would have been able to see financial reports, or delete apps from iTunes Connect is unclear (some are reporting that the privacy breach only showed developers’ names and the names of their apps rather than more sensitive information) but it hardly instils confidence that Apple knows what it is doing.
The fact is, for a while it would have been a case of Russian Roulette whether your developer account was accessed by a complete stranger.
According to Apple’s System Status page, both iTunes Connect and Test Flight (a service which allowed for new apps to be uploaded and to manage the invitation of testers) have now been restored to normal working order.
Of course, this isn’t the first time that Apple has been caught with its trousers down when it comes to its online services for developers. In 2013, for instance, the Apple Developers Center was down for some days following a hack.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
One comment on “iTunes Connect service allowed developers to log into stranger’s accounts”
"(some are reporting that the privacy breach only showed developers’ names and the names of their apps rather than more sensitive information) but it hardly instils confidence that Apple knows what it is doing."
Let's not forget the phishing rods! Hopefully if any were used the phish reeled them in to the water instead of them being reeled out of (preferably something that would injure them).
"According to Apple’s System Status page, both iTunes Connect and Test Flight …"
I readily admit I don't like Apple. But I would do this for any corporation (or person, including family, friends and even myself (laughing at oneself is an endless stream of amusement and I have the experience to back that)) that has a mistake in a product (or…) called Test Flight. It would be against my nature to not do so. It would also be impossible for me to neglect it; indeed this is one of the things that is in my blood. So here we go: let's just all be thankful it is not a real 'test flight'. That would especially be true if the 'pilots' used their mapping app that went really bad (2013?), to the point of having (as I recall it was an airport (ironically enough) and otherwise a university) on the Thames. And certain areas were off the map. Then of course the path leading in to a bad (i.e. not an entrance, blocked off area of) place at an airport in Alaska, I think it was. Yes, indeed, they do have an affinity to airports (good name for their service then, eh?) and so thankfully this was not a real test flight! That is of course still true without the mapping disaster (more reason that being able to read a map is a good skill to have as certainly that isn't the only issue with satellites/etc.).