Friday, July 9, 2010

Apple says iTunes Store hack damage minimal

http://www.msnbc.msn.com/id/38133471/ns/technology_and_science-tech_and_gadgets/

Apple now admits 400 iTunes accounts were hacked and used by a Vietnamese developer, Thuat Nguyen, to push his iPhone apps to best seller status over the weekend. But here is the zinger: Apple is saying it was no big deal. Four hundred accounts equals 0.0003 percent of the over 150 million iTunes account holders, Apple points out.

The downplaying of the hack comes as little consolation to many who believed Apple's walled garden would offer protection from rogue developers and hackers. After all, Apple runs a very tight ship when it comes to the App Store. (See related: " Apple's iPhone App Fraud: Where Were the App Police?")

Reports emerged on Sunday that Nguyen gamed the App Store ratings in the Books category, by purchasing his own apps using hacked iTunes accounts. At one point, the developer's apps occupied 42 of the top 50 apps sold in the Books section, and users reported purchases of up to $500 with their accounts.

Nguyen's apps had been removed from the App Store late as of Sunday, because he "violat(ed) the developer Program License Agreement, including fraudulent purchase patterns," Apple said. The company also claims that its iTunes servers were not compromised in any way.

When short, insecure passwords for iTunes accounts are used, users leave themselves open to hackers guessing their credentials. Compromised accounts are also nothing new: on the forums of theMacRumors site, there are dozens of replies in threads dating back from 2008 reporting such problems.

Following this incident, Apple will ask more frequently for your CCV number from your card (last three digits from the number at the back of the card), which is supposed to prove that the card in is the possession of the person making the purchase.

Alex Brie, one of the developers who first reported the App Store problems with the Vietnamese developer, is suspicious of Apple's claims. After his calculations, Nguyen would have needed at least 3,000 hacked iTunes accounts to reach the ranking he had on Sunday in the App Store.

Brie, who also develops iPhone books apps, was affected by Nguyen's gaming of the App Store ratings. Despite Apple's claims, he speculates that to achieve such high ratings for his apps, Nguyen had to hack into Apple's iTunes servers and skip the normal security steps, or run an automated scripted program.

Apple is well known for its draconian App Store approval process, so there are questions over how Thuat Nguyen's apps got approved in the first place. The developer links for these apps led to a parked (inexistent) domain, and according to one report, they even featured copyrighted material.


On Fri, Jul 9, 2010 at 10:08 AM, Carl Brooks wrote:
Apple had a big scam pulled against their App Store lately where a developer hacked a free app to make it go out and buy it's other paid apps. The result was that the developer had 40 of the top 50 apps in the Photography section of the app store (except the apps weren't Photography related apps). Obviously the developers who normally rule those charts noticed something was wrong because suddenly their apps were not on the top and their sales were down as a result.

Apple stepped in and booted the developer, notified the users that got their card used to cancel their cards and to change their iTunes password.

They changed their App Store policy to ask for the password more so you would know something was being done with the App store and they also added an occasional request for the 3 digits on the back of the card (because no one would have access to that but you).

Carl Brooks

No comments:

Post a Comment