Technical Analysis of Apple Internal Source Code Leak

Table of Contents

Introduction

In a recent cybersecurity event, proprietary internal plugins and configurations used by Apple for their self-hosted Atlassian Confluence and Jira instances were leaked. This data breach exposed custom backend and frontend plugins designed for use with on-premise Atlassian Confluence and Jira systems, including authentication handlers integrated with Apple’s internal AppleConnect authentication system, as well as a custom Confluence UI theme for the HMTS (Hardware, Manufacturing, and Test Solutions) division, among other data. This analysis provides a detailed technical breakdown of the leaked files, the potential security implications, and recommendations for mitigating similar risks.

Contrary to initial publications, the leaked data does not include internal Apple tools, but instead, contains internal custom integrations to connect Apple proprietary authentication systems to Atlassian Jira and Confluence, for SSO authentication within the Apple corporate network. Based on information contained within the leaked data, the source code handles the authentication to retail-confluence.apple.com, a Confluence server which is not routable on the public internet. 

 
Initially listed on BreachForums for sale by IntelBroker , the data was purchased by the AHCTS Intelligence team for the USD equivalent of approximately $11. 

Join our insights list and recieve immediate updates on the latest in cyber security and emerging technology. 

File Analysis

				
					├── apple-hwe-confluence-datacenter-advanced-theme-master@2b322a08e3e
│   ├── README.md
│   ├── advanced-theme-demo-for-confluence.iml
│   ├── bottom.vm
│   ├── config.xml
│   ├── css
│   │   ├── category-menu.css
│   │   ├── content.css
│   │   ├── header.css
│   │   └── style.css
│   ├── curl.exe
│   ├── images
│   │   ├── 402.png
│   │   ├── background_image.png
│   │   ├── background_image.svg
│   │   ├── background_image_small.png
│   │   ├── background_image_smallest.png
│   │   ├── demo-icon.png
│   │   ├── hmts_logo.png
│   │   ├── home_news
│   │   │   ├── graduation_cap.png
│   │   │   ├── green_flag.png
│   │   │   └── lightbulb.png
│   │   └── wikirefinery.png
│   ├── js
│   │   └── script.js
│   ├── theme-uploader.cmd
│   ├── theme-uploader.sh
│   ├── top.vm
│   └── variations
│       └── blue.css
├── appleconnect-sso-master@d8c514aa3f1
│   ├── ConfluenceSSORedirect
│   │   ├── LICENSE
│   │   ├── README
│   │   ├── pom.xml
│   │   └── src
│   │       └── main
│   │           ├── java
│   │           │   └── com
│   │           │       └── cprime
│   │           │           └── sso
│   │           │               ├── api
│   │           │               │   └── PluginData.java
│   │           │               ├── impl
│   │           │               │   └── PluginDataImpl.java
│   │           │               └── servlet
│   │           │                   ├── ConfiguringServlet.java
│   │           │                   └── filter
│   │           │                       └── LoginServletFilter.java
│   │           └── resources
│   │               ├── ConfluenceSSORedirect.properties
│   │               ├── atlassian-plugin.xml
│   │               ├── css
│   │               │   └── ConfluenceSSORedirect.css
│   │               ├── images
│   │               │   ├── pluginIcon.png
│   │               │   └── pluginLogo.png
│   │               ├── js
│   │               │   └── ConfluenceSSORedirect.js
│   │               └── templates
│   │                   ├── accessDenied.vm
│   │                   └── settings.vm
│   ├── JiraSSORedirect
│   │   ├── LICENSE
│   │   ├── README
│   │   ├── pom.xml
│   │   └── src
│   │       └── main
│   │           ├── java
│   │           │   └── com
│   │           │       └── cprime
│   │           │           └── sso
│   │           │               ├── api
│   │           │               │   └── PluginData.java
│   │           │               ├── impl
│   │           │               │   └── PluginDataImpl.java
│   │           │               └── servlet
│   │           │                   ├── ConfiguringServlet.java
│   │           │                   └── filter
│   │           │                       └── LoginServletFilter.java
│   │           └── resources
│   │               ├── JiraSSORedirect.properties
│   │               ├── atlassian-plugin.xml
│   │               ├── css
│   │               │   └── JiraSSORedirect.css
│   │               ├── images
│   │               │   ├── pluginIcon.png
│   │               │   └── pluginLogo.png
│   │               ├── js
│   │               │   └── JiraSSORedirect.js
│   │               └── templates
│   │                   ├── accessDenied.vm
│   │                   └── settings.vm
│   ├── conf-auth
│   │   ├── LICENSE
│   │   ├── README
│   │   ├── etc
│   │   │   └── seraph-config-example.xml
│   │   ├── pom.xml
│   │   └── src
│   │       └── main
│   │           └── java
│   │               └── com
│   │                   └── apple
│   │                       └── retailtech
│   │                           ├── AppleConnectConfig.java
│   │                           ├── CustomSSOAuthenticator.java
│   │                           ├── LDAPServerConfig.java
│   │                           └── SSOnCookie.java
│   └── jira-auth
│       ├── LICENSE
│       ├── README
│       ├── etc
│       │   └── seraph-config-example.xml
│       ├── pom.xml
│       └── src
│           └── main
│               └── java
│                   └── com
│                       └── apple
│                           └── retailtech
│                               ├── AppleConnectConfig.java
│                               ├── CustomSSOAuthenticator.java
│                               ├── LDAPServerConfig.java
│                               └── SSOnCookie.java
└── applemacroplugin-master@83c95519e8a
    ├── LICENSE
    ├── README
    ├── pom.xml
    └── src
        └── main
            ├── java
            │   └── com
            │       └── cprime
            │           └── macro
            │               └── plugin
            │                   ├── data
            │                   │   ├── PluginData.java
            │                   │   └── PluginDataImpl.java
            │                   ├── impl
            │                   │   └── RadarViewerMacro.java
            │                   ├── rest
            │                   │   ├── RadarRestResource.java
            │                   │   └── RadarRestResourceModel.java
            │                   └── servlet
            │                       └── ConfiguringServlet.java
            └── resources
                ├── RadarViewer.properties
                ├── atlassian-plugin.xml
                ├── css
                │   ├── RadarViewer.css
                │   └── jquery.dataTables.min.css
                ├── images
                │   ├── link-apple.png
                │   ├── link-ico.png
                │   ├── pluginIcon.png
                │   ├── pluginLogo.png
                │   ├── radar-ico.png
                │   ├── radar-line.png
                │   ├── radar-page-action-required-mini.png
                │   ├── radar-page-action-required.png
                │   ├── radar-page-draft-mini.png
                │   ├── radar-page-draft.png
                │   ├── radar-page-official-mini.png
                │   ├── radar-page-official.png
                │   ├── radar-page-outdated-mini.png
                │   ├── radar-page-outdated.png
                │   ├── radar-popup-icon.png
                │   ├── radar.png
                │   ├── sort_asc.png
                │   ├── sort_asc_disabled.png
                │   ├── sort_both.png
                │   ├── sort_desc.png
                │   └── sort_desc_disabled.png
                ├── js
                │   ├── RadarViewer.js
                │   ├── hidden-parameter-field.js
                │   └── jquery.dataTables.min.js
                ├── macros
                │   └── radarViewer.vm
                └── templates
                    ├── accessDenied.vm
                    └── settings.vm
				
			

The leak appears to consist of three repositories: 

  • apple-hwe-confluence-datacenter-advanced-theme-master@2b322a08e3e
    • Files last modified April 27th 2024
  • appleconnect-sso-master@d8c514aa3f1
    • Files last modified September 27, 2016 
  • applemacroplugin-master@83c95519e8a
    • Files last modified August 10, 2019

HMTS Custom Theme for Confluence

(apple-hwe-confluence-datacenter-advanced-theme-master@2b322a08e3e)

The HMTS (Hardware, Manufacturing, and Test Solutions) custom theme is a specialized theme developed for Apple’s internal Confluence instance. It aims to provide a tailored user experience for the HMTS team by customizing the visual and functional aspects of Confluence, and includes various CSS stylesheets, JavaScript files, and image assets to achieve this customization.

Boilerplate and Compatibility

The HMTS custom theme is built on the Refined for Confluence boilerplate. Refined is a popular add-on for Confluence that allows for extensive customization of the user interface.

Boilerplate: Refined for Confluence

  • The theme leverages the Refined for Confluence framework, which provides advanced theming capabilities and an online theme editor.

Supported Versions:

  • The theme requires Refined 5.0 for Confluence or later.
  • The specific version of Confluence mentioned in the configuration files is 6.0.7, indicating compatibility with Confluence 6.x series.
 
				
					<properties>
    <confluence.version>6.0.7</confluence.version>
    <confluence.data.version>6.0.7</confluence.data.version>
    <amps.version>6.2.4</amps.version>
    <plugin.testrunner.version>1.2.3</plugin.testrunner.version>
    <atlassian.spring.scanner.version>1.2.6</atlassian.spring.scanner.version>
    <atlassian.plugin.key>${project.groupId}.${project.artifactId}</atlassian.plugin.key>
</properties>

				
			

File Path: applemacroplugin-master@83c95519e8a/pom.xml

Analysis

Within the Apple-HWE-Confluence-Advanced files, there is not any sensitive information based on our analysis, however version information regarding Confluence could be used to identify vulnerabilities to assist in a more sophisticated attack. 

AppleConnect SSO Integration for Confluence and Jira

Overview

The appleconnect-sso plugin suite includes components for both Confluence and Jira. These plugins are designed to override the standard Seraph authenticators with custom implementations that leverage AppleConnect SSO for user authentication. This allows Apple employees to seamlessly authenticate into Confluence and Jira using their AppleConnect credentials. The developers of the system, however, hardcoded application administrator credentials into the configuration file. While it is current unknown whether the ‘example’ configuration file contains production credentials, our team presumes that the data is valid. 

Key Features

  1. Custom Authenticators:

    • The plugins replace the default Seraph authenticators with custom ones (CustomSSOAuthenticator) that are configured to validate users via AppleConnect.
  2. Integration with LDAP:

    • The authenticators also interact with LDAP to fetch user information based on the prsId (employee ID) obtained from AppleConnect.
  3. Handling of SSO Cookies:

    • The plugins manage SSO cookies to maintain session integrity and validate user sessions with AppleConnect.

Configuration and Dependency Details

File Path: appleconnect-sso-master@d8c514aa3f1/conf-auth/etc/seraph-config-example.xml

Key Elements:

  • Login and Logout URLs: Configured to use AppleConnect URLs for login and logout.
  • Custom Authenticator: Utilizes a custom SSO authenticator com.apple.retailtech.CustomSSOAuthenticator with various initialization parameters specific to AppleConnect.
  • LDAP Configuration: Integrates with an LDAP server at ldap://corpds.apple.com for user information.
				
					<authenticator class="com.apple.retailtech.CustomSSOAuthenticator">
  <init-param>
    <param-name>apple.connect.auth.app.id.key</param-name>
    <param-value>fa74579a08b0bad82bb175e9d986e844e8d3a9b38f1795683aa08cdbc79841a0</param-value>
  </init-param>
  <init-param>
    <param-name>apple.connect.auth.app.admin.password</param-name>
    <param-value>[REDACTED BY AHCTS]</param-value>
  </init-param>
</authenticator>

				
			
File Source: appleconnect-sso-master@d8c514aa3f1/jira-auth/pom.xml
				
					<authenticator class="com.apple.retailtech.CustomSSOAuthenticator">
  <init-param>
    <param-name>apple.connect.auth.app.id.key</param-name>
    <param-value>72f84a9f7893ad58a5a94e0bdfe4809a2cb3b5aab0d617fd28909a3c33571b5f</param-value>
  </init-param>
  <init-param>
    <param-name>apple.connect.auth.app.admin.password</param-name>
    <param-value>[REDACTED BY AHCTS]</param-value>
  </init-param>
</authenticator>

				
			
File Source: appleconnect-sso-master@d8c514aa3f1/conf-auth/pom.xml

Analysis

The appleconnect-sso plugin suite provides a robust solution for integrating AppleConnect SSO with Confluence and Jira, allowing seamless authentication for Apple employees. However, the use of hard coded credentials in these configurations represents a significant security vulnerability. In the event that corporate network access was established by a threat actor, it is likely that abuse of the hardcoded credentials will occur, and subsequent data leakage will occur.

RadarViewer Macro Plugin for Confluence

Overview

The RadarViewer plugin, found in the applemacroplugin-master@83c95519e8a directory, is designed to provide a macro for embedding radar visualizations within Confluence pages. This plugin includes REST resources, web components, and configuration files that enable the integration and display of radar data.

Key Features

  1. REST API:

    • The plugin provides REST endpoints to fetch radar data. These endpoints are defined in the RadarRestResource class.
  2. XHTML Macro:

    • The plugin defines an XHTML macro named radar-viewer, which allows users to embed radar views within Confluence pages. The macro can be configured with various parameters to customize the radar display.
  3. Web Resources:

    • The plugin includes CSS and JavaScript files to support the radar visualization and interactivity.
  4. Configuration Options:

    • The plugin provides various configuration options through XML and properties files, allowing administrators to customize the behavior and appearance of the radar viewer.

Configuration and Dependency Details

File Path: applemacroplugin-master@83c95519e8a/pom.xml

Key Elements:

  • Dependencies: The plugin relies on several Atlassian and external libraries, such as atlassian-template-renderer-api, confluence, atlassian-spring-scanner, and others.
  • Build Plugins: Uses the maven-confluence-plugin for building and deploying the plugin.
				
					<dependencies>
    <dependency>
        <groupId>com.atlassian.templaterenderer</groupId>
        <artifactId>atlassian-template-renderer-api</artifactId>
        <version>1.5.4</version>
        <scope>provided</scope>
    </dependency>
    <dependency>
        <groupId>com.atlassian.confluence</groupId>
        <artifactId>confluence</artifactId>
        <version>${confluence.version}</version>
        <scope>provided</scope>
    </dependency>
    <dependency>
        <groupId>com.atlassian.plugin</groupId>
        <artifactId>atlassian-spring-scanner-annotation</artifactId>
        <version>${atlassian.spring.scanner.version}</version>
        <scope>compile</scope>
    </dependency>
    <dependency>
        <groupId>com.atlassian.plugin</groupId>
        <artifactId>atlassian-spring-scanner-runtime</artifactId>
        <version>${atlassian.spring.scanner.version}</version>
        <scope>runtime</scope>
    </dependency>
    <dependency>
        <groupId>javax.inject</groupId>
        <artifactId>javax.inject</artifactId>
        <version>1</version>
        <scope>provided</scope>
    </dependency>
    <dependency>
        <groupId>javax.ws.rs</groupId>
        <artifactId>jsr311-api</artifactId>
        <version>1.1.1</version>
        <scope>provided</scope>
    </dependency>
</dependencies>

				
			

Analysis

The leaked RadarViewer plugin for Confluence does not contain hardcoded data or sensitive information that can be directly used to further attack the victim. However, updating the source code of the plugin to meet modern development and security best practices is essential to mitigate potential abuse.

Developer Information: cPrime

The developer of the leaked plugins is cPrime, a consultancy firm specializing in Agile transformations and software solutions. This information is evident from multiple references within the codebase and accompanying documentation of the plugins. cPrime is prominently mentioned as the organization responsible for creating and maintaining these custom plugins for Apple’s internal Confluence and Jira instances.

Evidence of cPrime’s Involvement

  1. Developer Attribution in README Files:
    • Several README files within the plugins explicitly mention cPrime and its developers.

 

Example: 

File Path: appleconnect-sso-master@d8c514aa3f1/conf-auth/README.md

				
					## License and Authors

Author:: Stephan Miehe (<s.m@apple.com>)
				
			
  1. Organization Information in pom.xml Files:
    • The pom.xml files include references to cPrime as the organization responsible for the plugins, along with links to their official website.

Examples:

File Path: appleconnect-sso-master@d8c514aa3f1/ConfluenceSSORedirect/pom.xml

File Path: appleconnect-sso-master@d8c514aa3f1/jira-auth/pom.xml

				
					<organization>
    <name>cPrime, Inc</name>
    <url>https://www.cprime.com/</url>
</organization>

				
			

File Path: applemacroplugin-master@83c95519e8a/pom.xml

				
					<organization>
    <name>cPrime, Inc</name>
    <url>https://cprime.com/</url>
</organization>
<name>Radar Macro Plugin</name>
<description>Radar Macro plugin for Confluence.</description>

				
			
  1. Class and Package Naming:
    • The classes and packages within the plugins follow a naming convention that includes com.cprime, further indicating that cPrime is the developer.

Examples:

File Path: applemacroplugin-master@83c95519e8a/src/main/java/com/cprime/macro/plugin/impl/RadarViewerMacro.java

				
					package com.cprime.macro.plugin.impl;

// Class definition
public class RadarViewerMacro {
    // Implementation
}

				
			

File Path: appleconnect-sso-master@d8c514aa3f1/ConfluenceSSORedirect/src/main/java/com/cprime/sso/api/PluginData.java

				
					package com.cprime.sso.api;

// Class definition
public class PluginData {
    // Implementation
}

				
			

Analysis

cPrime is clearly identified as the developer of the custom plugins for Apple’s internal Confluence and Jira instances. This is supported by multiple references in the codebase and documentation, including organization information in pom.xml files, developer attribution in README files, and consistent package naming conventions. These plugins, developed by cPrime, integrate AppleConnect SSO and provide custom visualizations and themes, tailored to meet Apple’s specific requirements.

Our Take

The leak of the custom plugins developed for Apple’s internal Confluence and Jira instances poses significant cybersecurity risks, but there is not an actively exploitable threat within the source code, and the source code does not include any tools which impact Apple end-user products or services, however the exposed code does include detailed configurations and sensitive information that could potentially be exploited by malicious actors. The origin of the leak remains unknown, with the possibility that it may have originated from either Apple’s internal systems or from cPrime, the external consultancy responsible for developing these plugins. This uncertainty underscores the critical need for robust security measures across the entire supply chain, including both internal practices and those of external vendors. The breach highlights the importance of secure development environments, stringent access controls, and comprehensive security audits to protect sensitive information and maintain the integrity of critical infrastructure components.

 

Our team is aware of additional intelligence indicating that other newly emerging and currently developing data breaches and leaks may also have the shared utilization of cPrime, which presents an interesting avenue to be explored. If you or your company is aware of a security incident which has occurred and is potentially related to a widespread cPrime breach, we encourage you to securely and anonymously contact our team via the contact information at the bottom of this article, or via Signal.

Contact Information

For press inquiries, security researchers with questions, or those seeking to request a comment or permission to republish information from this article, please reach out to us. Additionally, if you require a copy of the original data for analysis, please contact us via email at [email protected], by phone at (419) 210-8343, or via Signal. We are committed to providing transparent and detailed information and will respond promptly to all legitimate requests.

Share Now

Facebook
Twitter
LinkedIn
Pinterest
Tumblr