Breaking down the #Apple Internal Tool Leak -- Follow along for realtime analysis updates as the write-up is completed!
— Andrew (@andrewchenke) June 19, 2024
Questions + relevant intel is welcomed, as always! #databreach #leak #cybersecurity #news #BreakingNewsβ
Table of Contents
Introduction
In a recent cybersecurity event, proprietary internal plugins and configurations used by Apple for their self-hosted Atlassian Confluence and Jira instances were leaked. This data breach exposed custom backend and frontend plugins designed for use with on-premise Atlassian Confluence and Jira systems, including authentication handlers integrated with Apple’s internal AppleConnect authentication system, as well as a custom Confluence UI theme for the HMTS (Hardware, Manufacturing, and Test Solutions) division, among other data. This analysis provides a detailed technical breakdown of the leaked files, the potential security implications, and recommendations for mitigating similar risks.
Contrary to initial publications, the leaked data does not include internal Apple tools, but instead, contains internal custom integrations to connect Apple proprietary authentication systems to Atlassian Jira and Confluence, for SSO authentication within the Apple corporate network. Based on information contained within the leaked data, the source code handles the authentication toΒ retail-confluence.apple.com, a Confluence server which is not routable on the public internet.Β
Join our insights list and recieve immediate updates on the latest in cyber security and emerging technology.Β
File Analysis
File Tree - Leaked Data Contents
βββ apple-hwe-confluence-datacenter-advanced-theme-master@2b322a08e3e
β βββ README.md
β βββ advanced-theme-demo-for-confluence.iml
β βββ bottom.vm
β βββ config.xml
β βββ css
β β βββ category-menu.css
β β βββ content.css
β β βββ header.css
β β βββ style.css
β βββ curl.exe
β βββ images
β β βββ 402.png
β β βββ background_image.png
β β βββ background_image.svg
β β βββ background_image_small.png
β β βββ background_image_smallest.png
β β βββ demo-icon.png
β β βββ hmts_logo.png
β β βββ home_news
β β β βββ graduation_cap.png
β β β βββ green_flag.png
β β β βββ lightbulb.png
β β βββ wikirefinery.png
β βββ js
β β βββ script.js
β βββ theme-uploader.cmd
β βββ theme-uploader.sh
β βββ top.vm
β βββ variations
β βββ blue.css
βββ appleconnect-sso-master@d8c514aa3f1
β βββ ConfluenceSSORedirect
β β βββ LICENSE
β β βββ README
β β βββ pom.xml
β β βββ src
β β βββ main
β β βββ java
β β β βββ com
β β β βββ cprime
β β β βββ sso
β β β βββ api
β β β β βββ PluginData.java
β β β βββ impl
β β β β βββ PluginDataImpl.java
β β β βββ servlet
β β β βββ ConfiguringServlet.java
β β β βββ filter
β β β βββ LoginServletFilter.java
β β βββ resources
β β βββ ConfluenceSSORedirect.properties
β β βββ atlassian-plugin.xml
β β βββ css
β β β βββ ConfluenceSSORedirect.css
β β βββ images
β β β βββ pluginIcon.png
β β β βββ pluginLogo.png
β β βββ js
β β β βββ ConfluenceSSORedirect.js
β β βββ templates
β β βββ accessDenied.vm
β β βββ settings.vm
β βββ JiraSSORedirect
β β βββ LICENSE
β β βββ README
β β βββ pom.xml
β β βββ src
β β βββ main
β β βββ java
β β β βββ com
β β β βββ cprime
β β β βββ sso
β β β βββ api
β β β β βββ PluginData.java
β β β βββ impl
β β β β βββ PluginDataImpl.java
β β β βββ servlet
β β β βββ ConfiguringServlet.java
β β β βββ filter
β β β βββ LoginServletFilter.java
β β βββ resources
β β βββ JiraSSORedirect.properties
β β βββ atlassian-plugin.xml
β β βββ css
β β β βββ JiraSSORedirect.css
β β βββ images
β β β βββ pluginIcon.png
β β β βββ pluginLogo.png
β β βββ js
β β β βββ JiraSSORedirect.js
β β βββ templates
β β βββ accessDenied.vm
β β βββ settings.vm
β βββ conf-auth
β β βββ LICENSE
β β βββ README
β β βββ etc
β β β βββ seraph-config-example.xml
β β βββ pom.xml
β β βββ src
β β βββ main
β β βββ java
β β βββ com
β β βββ apple
β β βββ retailtech
β β βββ AppleConnectConfig.java
β β βββ CustomSSOAuthenticator.java
β β βββ LDAPServerConfig.java
β β βββ SSOnCookie.java
β βββ jira-auth
β βββ LICENSE
β βββ README
β βββ etc
β β βββ seraph-config-example.xml
β βββ pom.xml
β βββ src
β βββ main
β βββ java
β βββ com
β βββ apple
β βββ retailtech
β βββ AppleConnectConfig.java
β βββ CustomSSOAuthenticator.java
β βββ LDAPServerConfig.java
β βββ SSOnCookie.java
βββ applemacroplugin-master@83c95519e8a
βββ LICENSE
βββ README
βββ pom.xml
βββ src
βββ main
βββ java
β βββ com
β βββ cprime
β βββ macro
β βββ plugin
β βββ data
β β βββ PluginData.java
β β βββ PluginDataImpl.java
β βββ impl
β β βββ RadarViewerMacro.java
β βββ rest
β β βββ RadarRestResource.java
β β βββ RadarRestResourceModel.java
β βββ servlet
β βββ ConfiguringServlet.java
βββ resources
βββ RadarViewer.properties
βββ atlassian-plugin.xml
βββ css
β βββ RadarViewer.css
β βββ jquery.dataTables.min.css
βββ images
β βββ link-apple.png
β βββ link-ico.png
β βββ pluginIcon.png
β βββ pluginLogo.png
β βββ radar-ico.png
β βββ radar-line.png
β βββ radar-page-action-required-mini.png
β βββ radar-page-action-required.png
β βββ radar-page-draft-mini.png
β βββ radar-page-draft.png
β βββ radar-page-official-mini.png
β βββ radar-page-official.png
β βββ radar-page-outdated-mini.png
β βββ radar-page-outdated.png
β βββ radar-popup-icon.png
β βββ radar.png
β βββ sort_asc.png
β βββ sort_asc_disabled.png
β βββ sort_both.png
β βββ sort_desc.png
β βββ sort_desc_disabled.png
βββ js
β βββ RadarViewer.js
β βββ hidden-parameter-field.js
β βββ jquery.dataTables.min.js
βββ macros
β βββ radarViewer.vm
βββ templates
βββ accessDenied.vm
βββ settings.vm
The leak appears to consist of three repositories:Β
apple-hwe-confluence-datacenter-advanced-theme-master@2b322a08e3e- Files last modified April 27th 2024
appleconnect-sso-master@d8c514aa3f1- Files last modified September 27, 2016Β
applemacroplugin-master@83c95519e8a- Files last modified August 10, 2019
HMTS Custom Theme for Confluence
(apple-hwe-confluence-datacenter-advanced-theme-master@2b322a08e3e)
The HMTS (Hardware, Manufacturing, and Test Solutions) custom theme is a specialized theme developed for Apple’s internal Confluence instance. It aims to provide a tailored user experience for the HMTS team by customizing the visual and functional aspects of Confluence, and includes various CSS stylesheets, JavaScript files, and image assets to achieve this customization.
Boilerplate and Compatibility
The HMTS custom theme is built on the Refined for Confluence boilerplate. Refined is a popular add-on for Confluence that allows for extensive customization of the user interface.
Boilerplate: Refined for Confluence
- The theme leverages the Refined for Confluence framework, which provides advanced theming capabilities and an online theme editor.
Supported Versions:
- The theme requires Refined 5.0 for Confluence or later.
- The specific version of Confluence mentioned in the configuration files is 6.0.7, indicating compatibility with Confluence 6.x series.
<properties>
<confluence.version>6.0.7</confluence.version>
<confluence.data.version>6.0.7</confluence.data.version>
<amps.version>6.2.4</amps.version>
<plugin.testrunner.version>1.2.3</plugin.testrunner.version>
<atlassian.spring.scanner.version>1.2.6</atlassian.spring.scanner.version>
<atlassian.plugin.key>${project.groupId}.${project.artifactId}</atlassian.plugin.key>
</properties>
File Path: applemacroplugin-master@83c95519e8a/pom.xml
Analysis
Within the Apple-HWE-Confluence-Advanced files, there is not any sensitive information based on our analysis, however version information regarding Confluence could be used to identify vulnerabilities to assist in a more sophisticated attack.Β
AppleConnect SSO Integration for Confluence and Jira
Overview
The appleconnect-sso plugin suite includes components for both Confluence and Jira. These plugins are designed to override the standard Seraph authenticators with custom implementations that leverage AppleConnect SSO for user authentication. This allows Apple employees to seamlessly authenticate into Confluence and Jira using their AppleConnect credentials. The developers of the system, however, hardcoded application administrator credentials into the configuration file. While it is current unknown whether the ‘example’ configuration file contains production credentials, our team presumes that the data is valid.Β
Key Features
Custom Authenticators:
- The plugins replace the default Seraph authenticators with custom ones (
CustomSSOAuthenticator) that are configured to validate users via AppleConnect.
- The plugins replace the default Seraph authenticators with custom ones (
Integration with LDAP:
- The authenticators also interact with LDAP to fetch user information based on the
prsId(employee ID) obtained from AppleConnect.
- The authenticators also interact with LDAP to fetch user information based on the
Handling of SSO Cookies:
- The plugins manage SSO cookies to maintain session integrity and validate user sessions with AppleConnect.
Configuration and Dependency Details
File Path: appleconnect-sso-master@d8c514aa3f1/conf-auth/etc/seraph-config-example.xml
Key Elements:
- Login and Logout URLs: Configured to use AppleConnect URLs for login and logout.
- Custom Authenticator: Utilizes a custom SSO authenticator
com.apple.retailtech.CustomSSOAuthenticatorwith various initialization parameters specific to AppleConnect. - LDAP Configuration: Integrates with an LDAP server at
ldap://corpds.apple.comfor user information.
Jira Authentication Code Sample
<authenticator class="com.apple.retailtech.CustomSSOAuthenticator">
<init-param>
<param-name>apple.connect.auth.app.id.key</param-name>
<param-value>fa74579a08b0bad82bb175e9d986e844e8d3a9b38f1795683aa08cdbc79841a0</param-value>
</init-param>
<init-param>
<param-name>apple.connect.auth.app.admin.password</param-name>
<param-value>[REDACTED BY AHCTS]</param-value>
</init-param>
</authenticator>
File Source: appleconnect-sso-master@d8c514aa3f1/jira-auth/pom.xml
Confluence Authentication Code Sample
<authenticator class="com.apple.retailtech.CustomSSOAuthenticator">
<init-param>
<param-name>apple.connect.auth.app.id.key</param-name>
<param-value>72f84a9f7893ad58a5a94e0bdfe4809a2cb3b5aab0d617fd28909a3c33571b5f</param-value>
</init-param>
<init-param>
<param-name>apple.connect.auth.app.admin.password</param-name>
<param-value>[REDACTED BY AHCTS]</param-value>
</init-param>
</authenticator>
File Source: appleconnect-sso-master@d8c514aa3f1/conf-auth/pom.xml
Analysis
The appleconnect-sso plugin suite provides a robust solution for integrating AppleConnect SSO with Confluence and Jira, allowing seamless authentication for Apple employees. However, the use of hard coded credentials in these configurations represents a significant security vulnerability. In the event that corporate network access was established by a threat actor, it is likely that abuse of the hardcoded credentials will occur, and subsequent data leakage will occur.
RadarViewer Macro Plugin for Confluence
Overview
The RadarViewer plugin, found in the applemacroplugin-master@83c95519e8a directory, is designed to provide a macro for embedding radar visualizations within Confluence pages. This plugin includes REST resources, web components, and configuration files that enable the integration and display of radar data.
Key Features
REST API:
- The plugin provides REST endpoints to fetch radar data. These endpoints are defined in the
RadarRestResourceclass.
- The plugin provides REST endpoints to fetch radar data. These endpoints are defined in the
XHTML Macro:
- The plugin defines an XHTML macro named
radar-viewer, which allows users to embed radar views within Confluence pages. The macro can be configured with various parameters to customize the radar display.
- The plugin defines an XHTML macro named
Web Resources:
- The plugin includes CSS and JavaScript files to support the radar visualization and interactivity.
Configuration Options:
- The plugin provides various configuration options through XML and properties files, allowing administrators to customize the behavior and appearance of the radar viewer.
Configuration and Dependency Details
File Path: applemacroplugin-master@83c95519e8a/pom.xml
Key Elements:
- Dependencies: The plugin relies on several Atlassian and external libraries, such as
atlassian-template-renderer-api,confluence,atlassian-spring-scanner, and others. - Build Plugins: Uses the
maven-confluence-pluginfor building and deploying the plugin.
<dependencies>
<dependency>
<groupId>com.atlassian.templaterenderer</groupId>
<artifactId>atlassian-template-renderer-api</artifactId>
<version>1.5.4</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.atlassian.confluence</groupId>
<artifactId>confluence</artifactId>
<version>${confluence.version}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.atlassian.plugin</groupId>
<artifactId>atlassian-spring-scanner-annotation</artifactId>
<version>${atlassian.spring.scanner.version}</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>com.atlassian.plugin</groupId>
<artifactId>atlassian-spring-scanner-runtime</artifactId>
<version>${atlassian.spring.scanner.version}</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>javax.inject</groupId>
<artifactId>javax.inject</artifactId>
<version>1</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.ws.rs</groupId>
<artifactId>jsr311-api</artifactId>
<version>1.1.1</version>
<scope>provided</scope>
</dependency>
</dependencies>
Analysis
The leaked RadarViewer plugin for Confluence does not contain hardcoded data or sensitive information that can be directly used to further attack the victim. However, updating the source code of the plugin to meet modern development and security best practices is essential to mitigate potential abuse.
Developer Information: cPrime
The developer of the leaked plugins is cPrime, a consultancy firm specializing in Agile transformations and software solutions. This information is evident from multiple references within the codebase and accompanying documentation of the plugins. cPrime is prominently mentioned as the organization responsible for creating and maintaining these custom plugins for Apple’s internal Confluence and Jira instances.
Evidence of cPrime’s Involvement
- Developer Attribution in README Files:
- Several README files within the plugins explicitly mention cPrime and its developers.
Β
Example:Β
File Path: appleconnect-sso-master@d8c514aa3f1/conf-auth/README.md
## License and Authors
Author:: Stephan Miehe (<s.m@apple.com>)
- Organization Information in pom.xml Files:
- The
pom.xmlfiles include references to cPrime as the organization responsible for the plugins, along with links to their official website.
- The
Examples:
File Path: appleconnect-sso-master@d8c514aa3f1/ConfluenceSSORedirect/pom.xml
File Path:Β appleconnect-sso-master@d8c514aa3f1/jira-auth/pom.xml
<organization>
<name>cPrime, Inc</name>
<url>https://www.cprime.com/</url>
</organization>
File Path: applemacroplugin-master@83c95519e8a/pom.xml
<organization>
<name>cPrime, Inc</name>
<url>https://cprime.com/</url>
</organization>
<name>Radar Macro Plugin</name>
<description>Radar Macro plugin for Confluence.</description>
- Class and Package Naming:
- The classes and packages within the plugins follow a naming convention that includes
com.cprime, further indicating that cPrime is the developer.
- The classes and packages within the plugins follow a naming convention that includes
Examples:
File Path: applemacroplugin-master@83c95519e8a/src/main/java/com/cprime/macro/plugin/impl/RadarViewerMacro.java
package com.cprime.macro.plugin.impl;
// Class definition
public class RadarViewerMacro {
// Implementation
}
File Path: appleconnect-sso-master@d8c514aa3f1/ConfluenceSSORedirect/src/main/java/com/cprime/sso/api/PluginData.java
package com.cprime.sso.api;
// Class definition
public class PluginData {
// Implementation
}
Analysis
cPrime is clearly identified as the developer of the custom plugins for Apple’s internal Confluence and Jira instances. This is supported by multiple references in the codebase and documentation, including organization information in pom.xml files, developer attribution in README files, and consistent package naming conventions. These plugins, developed by cPrime, integrate AppleConnect SSO and provide custom visualizations and themes, tailored to meet Apple’s specific requirements.
Our Take
The leak of the custom plugins developed for Apple’s internal Confluence and Jira instances poses significant cybersecurity risks, but there is not an actively exploitable threat within the source code, and the source code does not include any tools which impact Apple end-user products or services, however the exposed code does include detailed configurations and sensitive information that could potentially be exploited by malicious actors. The origin of the leak remains unknown, with the possibility that it may have originated from either Apple’s internal systems or from cPrime, the external consultancy responsible for developing these plugins. This uncertainty underscores the critical need for robust security measures across the entire supply chain, including both internal practices and those of external vendors. The breach highlights the importance of secure development environments, stringent access controls, and comprehensive security audits to protect sensitive information and maintain the integrity of critical infrastructure components.
Β
Our team is aware of additional intelligence indicating that other newly emerging and currently developing data breaches and leaks may also have the shared utilization of cPrime, which presents an interesting avenue to be explored. If you or your company is aware of a security incident which has occurred and is potentially related to a widespread cPrime breach, we encourage you to securely and anonymously contact our team via the contact information at the bottom of this article, or via Signal.
Contact Information
For press inquiries, security researchers with questions, or those seeking to request a comment or permission to republish information from this article, please reach out to us. Additionally, if you require a copy of the original data for analysis, please contact us via email at [email protected], by phone at (419) 210-8343, or via Signal. We are committed to providing transparent and detailed information and will respond promptly to all legitimate requests.
