Hackers have identified vulnerabilities on Apple websites which gave them access to the data stored in the underlying databases.Yesterday, the Anonymous collective disclosed an SQL injection vulnerability found in a survey script hosted on the Apple Business Intelligence (abs.apple.com) website.
The notorious group of hacktivists which is currently involved in AntiSec, a campaign to hack into government and corporate websites, leaked two dozen hashed passwords extracted from the Apple database.
However, the group said that Apple is not a primary target. "Apple could be target, too. But don't worry, we are busy elsewhere," it wrote on Twitter.
Meanwhile, an independent hacker known as Idahc who positioned himself against AntiSec, also disclosed vulnerabilities on an Apple site.
According to the self-confessed grey hat hacker, the Apple Consultants Network portal is vulnerable to cross-site scripting and blind SQL injection attacks.
The XSS weakness can be exploited to inject iframes into the page by directing victims to a specially-crafted URL. This type of flaw can be used to enhance phishing or malware distribution attacks.
The blind SQL injection vulnerability is even more dangerous and Idahc used it to extract table and column names from the database. The information he released suggest that home addresses and phone numbers of consultants were exposed.
Blind SQLi is harder to exploit than plain SQL injection because the information cannot be extracted through the website itself and no errors are returned.
"Hello. I am Idahc (Lebanese hacker). I found a Blind SQLI and Iframe Injection on Apple. I am not one of Anonymous or Lulzsec and I am against The ANTISEC OPERATION.
"[...] This is a poc [proof-of-concept] with not confidential information. I didn't dump users, emails, passwords," the hacker wrote in his announcement.
Idahc previously broke into Sony websites as part of the hacking campaign launched against the company after its legal crackdown on PS3 hackers.