A major security hole was discovered first by developer Jesse Järvi on last Friday in Apple’s Radar application that allowed access to personal information for every registered iOS, Mac, or Safari developer and every Apple retail and corporate employee. Apple’s Radar application is an internal program used by Apple employees to manage bug reports that are submitted through its bug tracker. Jesse Järvi had first downloaded the Radar application from Apple’s website and then reported the security flaw to 9to5Mac who then contacted Apple. Apple ensured that the security hole will be patched as soon as possible and Apple engineers worked over the weekend to fix the problem that was fixed by Sunday night. Though there is no official communication on this from Apple, they assured Jesse Järvi that the security hole is patched now.
The first step in exploiting this hole was downloading the Radar application from Apple’s website. The program requires an Apple ID login to function, and that ID must be on a list of employees with access to the Radar app. Entering an invalid login causes the program to kick you out, but doesn’t cut off access to other tools contained within the software—including the people lookup function.
Opening a directory search and plugging in any piece of info, such as a name, phone number, or email address, and the application will promptly bring up a list of matches—no authentication required.
You can view the bug reporter website here.