Hackers can stay logged in to iTunes Connect accounts even when they’ve been blocked, Viber claims
Messaging app company Viber believes there is a glaring flaw in Apple’s iTunes Connect, which it has blamed for a defacement of its App Store page.
The flaw lets a hacker who is logged in to an iTunes Connect account remain logged in, even when the administrator has removed them from the list of authorised users.
Viber admitted two Viber.com email accounts had been compromised by a phishing attack, allowing the attacker to get the right login details to deface the company’s support site, as TechWeek reported last week, and gain access to its iTunes Connect account.
Although Viber removed the user from its iTunes Connect account, the hacker, believed to be a member of the Syrian Electronic Army, remained logged in. And that has left Viber upset.
“On Saturday this happened again. Upon further investigation we realised this is a security issue in iTunes Connect,” a spokesperson said, in an emailed statement sent to TechWeek.
“It seems that when you remove a user, if the user is logged in, then the user stays logged in.
“We hope Apple fixes this issue soon, as currently we have no way to permanently disconnect this user from our iTunes Connect. We have reached out to Apple regarding this issue and are waiting on their response.”
An Apple spokesperson said it had no comment at the time of publication.
“At this point, we want to reassure users, that this has no impact on the security of the Viber App, Viber System, our databases, user information, etc. It’s merely an unfortunate nuisance,” Viber added.
What do you know about Internet security? Find out with our quiz!