Skip to main content

Hacking worm holes in iTunes

Apple's iTunes store is a massive network, with more than 200 million active accounts across the world.
Apple's iTunes store is a massive network, with more than 200 million active accounts across the world.
STORY HIGHLIGHTS
  • Apple: 2011 revenue of US$5.4 billion in net sales for the iTunes store, App store, and iBookstore
  • Users of iTunes store have reported their accounts being hacked and their gift cards being spent
  • In 2010 Apple said one developer hacked around 400 iTunes accounts to boost sales of his apps
  • Analyst: Apple appears to have chosen to reimburse hacked accounts rather than fix the problem

Editor's note: The Global Mail is a new philanthropically funded, not-for-profit news and features website that aims is to deliver original, fearless, independent journalism.

(The Global Mail) -- There are already 71 web pages of complaints on just one customer forum, and it's growing.

For more than a year, iTunes users have been reporting on online Apple customer forums that their accounts have been hacked, their gift cards spent, their PayPal accounts used or their store credit exhausted.

One typical forum complaint, from a user identifying themselves as MacAurora: "I was hacked today for almost $50 in Apple gift card money. First someone gained access to my account and 'downloaded' the free Kingdom Conquest app at 2:45 a.m. when I was asleep, and then bought almost $50 worth of In App Purchases from SEGA Corporation. SEGA says I should complain to Apple and ask for a refund. Apple says it's not responsible for In App Purchases."

Most of the amounts stolen are at the low end, ranging from a few dollars to about $500. In most instances, Apple has agreed to restore the lost funds, as a "one-time exception to our sales policy". The company will not comment on whether they are working on a permanent fix.

Online scam targets iTunes

The iTunes store is a massive network, with more than 200 million active accounts. In December 2011, Apple announced that more than 100 million applications had been downloaded from the app store in Australia in just one year. In the fiscal year ending September 201, Apple reported revenue of US$5.4 billion in "net sales for the iTunes store, App store, and iBookstore," an increase of 33% year-on-year, according to the company's annual report.

Many of the iTunes users whose accounts have been hacked are increasingly frustrated with Apple's customer service, saying the company at the very least has dithered in fixing the problem. Some accuse the tech giant of being indifferent to the problem.

Perhaps that is because the issue has skated largely under the radar. Apple has avoided the kind of noisy publicity that has framed many other hacking attacks over the past few years by refusing to release information around the scale or duration of the hack, making it impossible to gauge its true impact. Companies including Sony, Citibank and American defense contractor Lockheed Martin all were attacked in 2011, due to the nature of the attacks, were forced to reveal the details publicly.

I think Apple has a good attitude towards security in general, however I do think they need to be more responsive in getting security fixes out quicker.
Ty Miller, security analyst

The fact that the iTunes hacks take a number of different forms -- sometimes direct theft from a person's PayPal account, other times use of store credit and gift cards -- and that the stolen funds are used for a range of purchases, from songs to apps to in-app add-ons combine to make it easier for Apple to say each attack is isolated. That's something forum posters have reported the company has told them in correspondence about their account.

But those hacked believe there is a pattern. And it's true the similarities of their stories, the recurrence of purchases of the same apps, and identical amendments to some customers' account information all suggest a coordinated effort.

"It is very apparent that Apple iTunes has a big problem on their hands, and they are keeping quiet about it. When you have been hacked, and people's money and private info has been stolen, you should... be more responsible (and responsive) than Apple is being," forum user "glight" says.

One victim of the Apple hacking was Fiona McKinlay, who was one of the first people to post on the online forum raising questions about the system. Based in the United Kingdom, McKinlay had her account compromised and the balance of a new gift card almost completely wiped.

"In December 2010 I loaded a £25 gift card, and a couple of days later 'in app purchases' that I didn't make took my balance down to £1.02," she says.

"They were very helpful in that they disabled my account immediately, refunded my money, de-authorized all machines associated with my account and reactivated my account, but failed to acknowledge that there may be any sort of problem with their system.

"Until one day I find something that says Apple have admitted there was a problem and have now resolved it, I'm going to assume the problem is still there and they're still just trying to pretend it's not. They used the phrase 'Please note that this is a one-time exception to our sales policy.' That says to me, 'Well, we sort of think this is your fault and are just being nice,' " she says.

McKinley is not alone in her concerns that Apple is ignoring a broader problem. Others have had similar issues. The challenge of getting someone from Apple to discuss the issue directly has left those hacked justifiably worried about the security of their accounts. This is made worse because some forum users also have reported that after the unauthorized purchases were made, the personal details on their accounts were tampered with, too.

The apparent ease with which hackers obtained and changed details, including addresses linked to their accounts, left some users feeling vulnerable to future theft. So for many, the need for direct human contact was a priority.

"Why is there only a web form to get in touch with Apple's iTunes billing department to report unauthorized transactions? Why is it when someone clicks on a link to report a problem that there isn't someone to follow up on what I, and other, reasonable people think is a time-critical event.... I have not talked to a warm, live, thinking, decision-making person. Why is that?" wrote "Terrence" on the forum thread.

Apple takes precautions to safeguard your personal information against loss, theft and misuse, as well as against unauthorized access, disclosure, alteration and destruction.
Apple statement

Those holding iTunes gift cards appear to be the most vulnerable. Once the theft had occurred, forum users say the solutions provided by Apple aren't up to scratch.

"I'm just floored by Apple's lack of assistance with this issue. I haven't received a word of information except to change my password. I contacted PayPal right away, but they haven't heard back from Apple either," posted "ybenner." The first posts about the issue lobbed in November 2010, more than four months before ybenner's complaint appeared in the forum.

Despite mostly small amounts being stolen in the hacking attacks, the number of accounts being compromised is not insignificant and the breaches are unlikely to stop unless Apple makes changes to its security system.

In 2010 Apple said Vietnamese developer Thuat Nguyen hacked around 400 iTunes accounts to boost sales of his apps and push them onto the "bestseller" list. The company said it had upgraded security and Nguyen was banned from selling products through its app store.

Since then hacking has continued to plague iTunes, with well over 1,000 incidents reported through the Apple forums. Yet the company hasn't publicly addressed the problem, nor responded to journalists' requests for information about the issue. Given the number of posts on the forum, there could be thousands, possibly tens of thousands of compromised accounts, but without any information from Apple, any estimate is a blind guess.

Ty Miller, chief technology officer at Sydney-based IT security firm Pure Hacking, says Apple appears to have chosen to reimburse hacked accounts rather than fix the problem.

"I would have expected Apple to take some sort of action by now," Miller says. "[That they haven't] can indicate one of two things:

"Either Apple has accepted the risk of the fraudulent transactions and they're happy to reimburse the money because it may cost a lot more to fix then they're actually losing. [Or] there is an inherent flaw in the way they have created the gift card numbers and it would take a serious overhaul of their systems to change how that actually works," Miller says.

Without Apple acknowledging the problem and providing more detailed information on what has been occurring, it is very difficult for outside security specialists to determine the cause of the problem.

Still, gift card credit is what most forum users are reporting having lost, and Miller says the frequency of that complaint indicates that hackers may be using software that can generate valid gift card number for use in the iTunes store.

"There's free software out there that lets you generate iTunes gift card numbers and you can actually use them in the iTunes store and buy stuff, so it may not be that the actual accounts are being hacked, it can just be the gift card numbers being used," Miller says.

The servers don't appear to have been compromised, says Miller, meaning the hacking could be as simple as using such software to guess gift card numbers and then spending up, or it could extend to creating "malicious apps" that when downloaded allow the creator access to the user's account.

"There's really not a lot people can do except monitor their account and if there has been a fraudulent transaction, report it to Apple," Miller says.

He says iTunes will continue to be a target and Apple needs to respond more quickly to customer complaints about flaws in the system.

"I think Apple has a good attitude towards security in general, however I do think they need to be more responsive in getting security fixes out quicker. In iOS4 [the iPhone operating system] there was a publicly available exploit that lets you break into people's phones - and that was possible within four different releases [of the software]," Miller says. "That meant they knew about it, but they weren't actually fixing it so the phones were vulnerable."

Apple, which has so far avoided the kind of large scale server hacking experienced by Sony in early 2011, when more than 77 million PlayStation users' details were compromised, continues to avoid responding publicly to the attacks.

When The Global Mail contacted the company its response was a general security statement that did not address the specific problems raised:

"Apple takes precautions to safeguard your personal information against loss, theft and misuse, as well as against unauthorized access, disclosure, alteration and destruction. Apple online services such as the Apple Online Store and iTunes Store use Secure Sockets Layer encryption on all web pages where personal information is collected," the statement said.

It advised customers who had experienced hacking or believe their account vulnerable to change their password.

The views and opinions expressed in this article are those of The Global Mail. Read the original version of the story.

ADVERTISEMENT
Part of complete coverage on
February 6, 2013 -- Updated 1526 GMT (2326 HKT)
Advocates say the exam includes unnecessarily invasive and irrelevant procedures -- like a so-called "two finger" test.
February 6, 2013 -- Updated 0009 GMT (0809 HKT)
Supplies of food, clothing and fuel are running short in Damascus and people are going hungry as the civil war drags on.
February 6, 2013 -- Updated 1801 GMT (0201 HKT)
Supporters of Richard III want a reconstruction of his head to bring a human aspect to a leader portrayed as a murderous villain.
February 5, 2013 -- Updated 1548 GMT (2348 HKT)
Robert Fowler spent 130 days held hostage by the same al Qaeda group that was behind the Algeria massacre. He shares his experience.
February 6, 2013 -- Updated 0507 GMT (1307 HKT)
As "We are the World" plays, a video shows what looks like a nuclear attack on the U.S. Jim Clancy reports on a bizarre video from North Korea.
The relationship is, once again, cold enough to make Obama's much-trumpeted "reset" in Russian-U.S. relations seem thoroughly off the rails.
Ten years on, what do you think the Iraq war has changed in you, and in your country? Send us your thoughts and experiences.
February 5, 2013 -- Updated 1215 GMT (2015 HKT)
Musician Daniela Mercury has sold more than 12 million albums worldwide over a career span of nearly 30 years.
Photojournalist Alison Wright travelled the world to capture its many faces in her latest book, "Face to Face: Portraits of the Human Spirit."
February 6, 2013 -- Updated 0006 GMT (0806 HKT)
Europol claims 380 soccer matches, including top level ones, were fixed - as the scandal widens, CNN's Dan Rivers looks at how it's done.
February 6, 2013 -- Updated 1237 GMT (2037 HKT)
That galaxy far, far away is apparently bigger than first thought. The "Star Wars" franchise will get two spinoff movies, Disney announced.
July 25, 2014 -- Updated 2327 GMT (0727 HKT)
It's an essential part of any trip, an activity we all take part in. Yet almost none of us are any good at it. Souvenir buying is too often an obligatory slog.
ADVERTISEMENT