While I attended WWDC this year Apple relaunched it’s website in a sleeker design. They also added a couple of nice Ajax features (like the Spotlight-like search in the upper right corner of every page or the store locator). Of course I had to probe around a bit and I found an SQL Injection security hole in the store locator.
Being surrounded by over 1500 Apple engineers at WWDC it was of course easy to report the issue in person, which I did right away.
The issue is fixed now and Apple has given me public credit for finding and reporting it:
2007-07-16 Apple Store LocatorThat’s the second credit Apple has given me for security holes on their website, the first one dates back to October 2005 (at the bottom of the page). I know that Apple has been criticized for it’s handling of security issues in the past. I only have experiences with Apple.com’s security team and those experiences are very positive. Google, Oracle and Real Networks have also given me public credit for finding and reporting security issues. Just drop me a line (johannes at the domain name springenwerk dot com) if you are interested in an in-depth security check of your web application.An SQL injection issue was corrected in the Apple Store Locator. No customer data is stored on or is handled by the affected database. We would like to acknowledge Johannes Fahrenkrug of Springenwerk Consulting for reporting these issues.