Hacking Worm Holes in iTunes
By Adam Glyde, Sarah-Jane CollinsFebruary 6, 2012
iTunes has millions of users around the world, but the security of the Apple store has been breached, with users reporting their gift cards spent and account information altered — and a frustrating customer service maze to get a response from Apple. The company won’t discuss the problem, or say if they are fixing it.
There are already 71 web pages of complaints on just one customer forum, and it's growing. For more than a year, iTunes users have been reporting on online Apple customer forums that their accounts have been hacked, their gift cards spent, their PayPal accounts used or their store credit exhausted. One typical forum complaint, from a user identifying themselves as MacAurora: "I was hacked today for almost $50 in Apple gift card money. First someone gained access to my account and 'downloaded' the free Kingdom Conquest app at 2:45 a.m. when I was asleep, and then bought almost $50 worth of In App Purchases from SEGA Corporation. SEGA says I should complain to Apple and ask for a refund. Apple says it's not responsible for In App Purchases."
Most of the amounts stolen are at the low end, ranging from a few dollars to about $500. In most instances, Apple has agreed to restore the lost funds, as a "one-time exception to our sales policy". The company will not comment on whether they are working on a permanent fix.
The iTunes store is a massive network, with more than 200 million active accounts. In December 2011, Apple announced that more than 100 million applications had been downloaded from the app store in Australia in just one year. In the fiscal year ending September 2011, Apple reported revenue of USD5.4 billion in "net sales for the iTunes store, App store, and iBookstore," an increase of 33 per cent year-on-year, according to the company's annual report.
Many of the iTunes users whose accounts have been hacked are increasingly frustrated with Apple's customer service, saying the company at the very least has dithered in fixing the problem. Some accuse the tech giant of being indifferent to the problem.
Perhaps that is because the issue has skated largely under the radar. Apple has avoided the kind of noisy publicity that has framed many other hacking attacks over the past few years by refusing to release information around the scale or duration of the hack, making it impossible to gauge its true impact. Companies including Sony, Citibank and American defense contractor Lockheed Martin all were attacked in 2011, due to the nature of the attacks, were forced to reveal the details publicly.
The fact that the iTunes hacks take a number of different forms - sometimes direct theft from a person's PayPal account, other times use of store credit and gift cards - and that the stolen funds are used for a range of purchases, from songs to apps to in-app add-ons combine to make it easier for Apple to say each attack is isolated. That's something forum posters have reported the company has told them in correspondence about their account.
But those hacked believe there is a pattern. And it's true the similarities of their stories, the recurrence of purchases of the same apps, and identical amendments to some customers' account information all suggest a coordinated effort.
"It is very apparent that Apple iTunes has a big problem on their hands, and they are keeping quiet about it. When you have been hacked, and people's money and private info has been stolen, you should… be more responsible (and responsive) than Apple is being," forum user "glight" says.
One victim of the Apple hacking was Fiona, who was one of the first people to post on the online forum raising questions about the system. Based in the United Kingdom, Fiona had her account compromised and the balance of a new gift card almost completely wiped.
"In December 2010 I loaded a £25 giftcard, and a couple of days later 'in app purchases' that I didn't make took my balance down to £1.02," she says.
"They were very helpful in that they disabled my account immediately, refunded my money, deauthorised all machines associated with my account and reactivated my account, but failed to acknowledge that there may be any sort of problem with their system.
"Until one day I find something that says Apple have admitted there was a problem and have now resolved it, I'm going to assume the problem is still there and they're still just trying to pretend it's not. They used the phrase 'Please note that this is a one-time exception to our sales policy.' That says to me, 'Well, we sort of think this is your fault and are just being nice,' " she says.
Fiona is not alone in her concerns that Apple is ignoring a broader problem.Others have had similar issues. The challenge of getting someone from Apple to discuss the issue directly has left those hacked justifiably worried about the security of their accounts. This is made worse because some forum users also have reported that after the unauthorised purchases were made, the personal details on their accounts were tampered with, too.
The apparent ease with which hackers obtained and changed details, including addresses linked to their accounts, left some users feeling vulnerable to future theft. So for many, the need for direct human contact was a priority.
"Why is there only a web form to get in touch with Apple's iTunes billing department to report unauthorised transactions? Why is it when someone clicks on a link to report a problem that there isn't someone to follow up on what I, and other, reasonable people think is a time-critical event…. I have not talked to a warm, live, thinking, decision-making person. Why is that?" wrote "Terrence" on the forum thread.
Those holding iTunes gift cards appear to be the most vulnerable. Once the theft had occurred, forum users say the solutions provided by Apple aren't up to scratch.
"I'm just floored by Apple's lack of assistance with this issue. I haven't received a word of information except to change my password. I contacted PayPal right away, but they haven't heard back from Apple either," posted "ybenner." The first posts about the issue lobbed in November 2010, more than four months before ybenner's complaint appeared in the forum.
Despite mostly small amounts being stolen in the hacking attacks, the number of accounts being compromised is not insignificant and the breaches are unlikely to stop unless Apple makes changes to its security system.
In 2010 Apple said Vietnamese developer Thuat Nguyen hacked around 400 iTunes accounts to boost sales of his apps and push them onto the "bestseller" list. The company said it had upgraded security and Nguyen was banned from selling products through its app store.
Since then hacking has continued to plague iTunes, with well over 1,000 incidents reported through the Apple forums. Yet the company hasn't publicly addressed the problem, nor responded to journalists' requests for information about the issue. Given the number of posts on the forum, there could be thousands, possibly tens of thousands of compromised accounts, but without any information from Apple, any estimate is a blind guess.
TY MILLER, chief technology officer at Sydney-based IT security firm Pure Hacking, says Apple appears to have chosen to reimburse hacked accounts rather than fix the problem.
"I would have expected Apple to take some sort of action by now," Miller says. "[That they haven't] can indicate one of two things:
"Either Apple has accepted the risk of the fraudulent transactions and they're happy to reimburse the money because it may cost a lot more to fix then they're actually losing. [Or] there is an inherent flaw in the way they have created the gift card numbers and it would take a serious overhaul of their systems to change how that actually works," Miller says.
Without Apple acknowledging the problem and providing more detailed information on what has been occurring, it is very difficult for outside security specialists to determine the cause of the problem.
Still, gift card credit is what most forum users are reporting having lost, and Miller says the frequency of that complaint indicates that hackers may be using software that can generate valid gift card number for use in the iTunes store.
"There's free software out there that lets you generate iTunes gift card numbers and you can actually use them in the iTunes store and buy stuff, so it may not be that the actual accounts are being hacked, it can just be the gift card numbers being used," Miller says.
The servers don't appear to have been compromised, says Miller, meaning the hacking could be as simple as using such software to guess gift card numbers and then spending up, or it could extend to creating "malicious apps" that when downloaded allow the creator access to the user's account.
"There's really not a lot people can do except monitor their account and if there has been a fraudulent transaction, report it to Apple," Miller says.
He says iTunes will continue to be a target and Apple needs to respond more quickly to customer complaints about flaws in the system.
"I think Apple has a good attitude towards security in general, however I do think they need to be more responsive in getting security fixes out quicker. In iOS4 [the iPhone operating system] there was a publicly available exploit that lets you break into people's phones - and that was possible within four different releases [of the software]," Miller says. "That meant they knew about it, but they weren't actually fixing it so the phones were vulnerable."
Apple, which has so far avoided the kind of large-scale server hacking experienced by Sony in early 2011, when more than 77 million PlayStation users' details were compromised, continues to avoid responding publicly to the attacks.
When The Global Mail contacted the company its response was a general security statement that did not address the specific problems raised:
"Apple takes precautions to safeguard your personal information against loss, theft and misuse, as well as against unauthorised access, disclosure, alteration and destruction. Apple online services such as the Apple Online Store and iTunes Store use Secure Sockets Layer encryption on all web pages where personal information is collected," the statement said.
It advised customers who had experienced hacking or believe their account vulnerable to change their password.