The Global Mail has ceased operations.
<p>Photography by Mike Bowers</p>

Photography by Mike Bowers

Hacking Worm Holes in iTunes

iTunes has millions of users around the world, but the security of the Apple store has been breached, with users reporting their gift cards spent and account information altered — and a frustrating customer service maze to get a response from Apple. The company won’t discuss the problem, or say if they are fixing it.

There are already 71 web pages of complaints on just one customer forum, and it's growing. For more than a year, iTunes users have been reporting on online Apple customer forums that their accounts have been hacked, their gift cards spent, their PayPal accounts used or their store credit exhausted. One typical forum complaint, from a user identifying themselves as MacAurora: "I was hacked today for almost $50 in Apple gift card money. First someone gained access to my account and 'downloaded' the free Kingdom Conquest app at 2:45 a.m. when I was asleep, and then bought almost $50 worth of In App Purchases from SEGA Corporation. SEGA says I should complain to Apple and ask for a refund. Apple says it's not responsible for In App Purchases."

Most of the amounts stolen are at the low end, ranging from a few dollars to about $500. In most instances, Apple has agreed to restore the lost funds, as a "one-time exception to our sales policy". The company will not comment on whether they are working on a permanent fix.

<p>Photo by Mike Bowers</p>

Photo by Mike Bowers

The iTunes store is a massive network, with more than 200 million active accounts. In December 2011, Apple announced that more than 100 million applications had been downloaded from the app store in Australia in just one year. In the fiscal year ending September 2011, Apple reported revenue of USD5.4 billion in "net sales for the iTunes store, App store, and iBookstore," an increase of 33 per cent year-on-year, according to the company's annual report.

Many of the iTunes users whose accounts have been hacked are increasingly frustrated with Apple's customer service, saying the company at the very least has dithered in fixing the problem. Some accuse the tech giant of being indifferent to the problem.

Perhaps that is because the issue has skated largely under the radar. Apple has avoided the kind of noisy publicity that has framed many other hacking attacks over the past few years by refusing to release information around the scale or duration of the hack, making it impossible to gauge its true impact. Companies including Sony, Citibank and American defense contractor Lockheed Martin all were attacked in 2011, due to the nature of the attacks, were forced to reveal the details publicly.

The fact that the iTunes hacks take a number of different forms - sometimes direct theft from a person's PayPal account, other times use of store credit and gift cards - and that the stolen funds are used for a range of purchases, from songs to apps to in-app add-ons combine to make it easier for Apple to say each attack is isolated. That's something forum posters have reported the company has told them in correspondence about their account.

But those hacked believe there is a pattern. And it's true the similarities of their stories, the recurrence of purchases of the same apps, and identical amendments to some customers' account information all suggest a coordinated effort.

"It is very apparent that Apple iTunes has a big problem on their hands, and they are keeping quiet about it. When you have been hacked, and people's money and private info has been stolen, you should… be more responsible (and responsive) than Apple is being," forum user "glight" says.

One victim of the Apple hacking was Fiona, who was one of the first people to post on the online forum raising questions about the system. Based in the United Kingdom, Fiona had her account compromised and the balance of a new gift card almost completely wiped.

“It is very apparent that Apple iTunes has a big problem on their hands…”

"In December 2010 I loaded a £25 giftcard, and a couple of days later 'in app purchases' that I didn't make took my balance down to £1.02," she says.

"They were very helpful in that they disabled my account immediately, refunded my money, deauthorised all machines associated with my account and reactivated my account, but failed to acknowledge that there may be any sort of problem with their system.

"Until one day I find something that says Apple have admitted there was a problem and have now resolved it, I'm going to assume the problem is still there and they're still just trying to pretend it's not. They used the phrase 'Please note that this is a one-time exception to our sales policy.' That says to me, 'Well, we sort of think this is your fault and are just being nice,' " she says.

Fiona is not alone in her concerns that Apple is ignoring a broader problem.Others have had similar issues. The challenge of getting someone from Apple to discuss the issue directly has left those hacked justifiably worried about the security of their accounts. This is made worse because some forum users also have reported that after the unauthorised purchases were made, the personal details on their accounts were tampered with, too.

<p>Photo by Mike Bowers</p>

Photo by Mike Bowers

The apparent ease with which hackers obtained and changed details, including addresses linked to their accounts, left some users feeling vulnerable to future theft. So for many, the need for direct human contact was a priority.

"Why is there only a web form to get in touch with Apple's iTunes billing department to report unauthorised transactions? Why is it when someone clicks on a link to report a problem that there isn't someone to follow up on what I, and other, reasonable people think is a time-critical event…. I have not talked to a warm, live, thinking, decision-making person. Why is that?" wrote "Terrence" on the forum thread.

Those holding iTunes gift cards appear to be the most vulnerable. Once the theft had occurred, forum users say the solutions provided by Apple aren't up to scratch.

"I'm just floored by Apple's lack of assistance with this issue. I haven't received a word of information except to change my password. I contacted PayPal right away, but they haven't heard back from Apple either," posted "ybenner." The first posts about the issue lobbed in November 2010, more than four months before ybenner's complaint appeared in the forum.

“They disabled my account immediately, refunded my money … but failed to acknowledge that there may be any sort of problem with their system.”

Despite mostly small amounts being stolen in the hacking attacks, the number of accounts being compromised is not insignificant and the breaches are unlikely to stop unless Apple makes changes to its security system.

In 2010 Apple said Vietnamese developer Thuat Nguyen hacked around 400 iTunes accounts to boost sales of his apps and push them onto the "bestseller" list. The company said it had upgraded security and Nguyen was banned from selling products through its app store.

Since then hacking has continued to plague iTunes, with well over 1,000 incidents reported through the Apple forums. Yet the company hasn't publicly addressed the problem, nor responded to journalists' requests for information about the issue. Given the number of posts on the forum, there could be thousands, possibly tens of thousands of compromised accounts, but without any information from Apple, any estimate is a blind guess.

TY MILLER, chief technology officer at Sydney-based IT security firm Pure Hacking, says Apple appears to have chosen to reimburse hacked accounts rather than fix the problem.

<p>Photo by Mike Bowers</p>

Photo by Mike Bowers

"I would have expected Apple to take some sort of action by now," Miller says. "[That they haven't] can indicate one of two things:

"Either Apple has accepted the risk of the fraudulent transactions and they're happy to reimburse the money because it may cost a lot more to fix then they're actually losing. [Or] there is an inherent flaw in the way they have created the gift card numbers and it would take a serious overhaul of their systems to change how that actually works," Miller says.

Without Apple acknowledging the problem and providing more detailed information on what has been occurring, it is very difficult for outside security specialists to determine the cause of the problem.

Still, gift card credit is what most forum users are reporting having lost, and Miller says the frequency of that complaint indicates that hackers may be using software that can generate valid gift card number for use in the iTunes store.

“I would have expected Apple to take some sort of action by now…”

"There's free software out there that lets you generate iTunes gift card numbers and you can actually use them in the iTunes store and buy stuff, so it may not be that the actual accounts are being hacked, it can just be the gift card numbers being used," Miller says.

The servers don't appear to have been compromised, says Miller, meaning the hacking could be as simple as using such software to guess gift card numbers and then spending up, or it could extend to creating "malicious apps" that when downloaded allow the creator access to the user's account.

"There's really not a lot people can do except monitor their account and if there has been a fraudulent transaction, report it to Apple," Miller says.

He says iTunes will continue to be a target and Apple needs to respond more quickly to customer complaints about flaws in the system.

"I think Apple has a good attitude towards security in general, however I do think they need to be more responsive in getting security fixes out quicker. In iOS4 [the iPhone operating system] there was a publicly available exploit that lets you break into people's phones - and that was possible within four different releases [of the software]," Miller says. "That meant they knew about it, but they weren't actually fixing it so the phones were vulnerable."

Apple, which has so far avoided the kind of large-scale server hacking experienced by Sony in early 2011, when more than 77 million PlayStation users' details were compromised, continues to avoid responding publicly to the attacks.

When The Global Mail contacted the company its response was a general security statement that did not address the specific problems raised:

"Apple takes precautions to safeguard your personal information against loss, theft and misuse, as well as against unauthorised access, disclosure, alteration and destruction. Apple online services such as the Apple Online Store and iTunes Store use Secure Sockets Layer encryption on all web pages where personal information is collected," the statement said.

It advised customers who had experienced hacking or believe their account vulnerable to change their password.

4 comments on this story
by Bruce

This is just the tip of the iceberg...

Nearly ten weeks ago I reported an iPhone app that, without warning, downloads all email addresses to the developer server from the iPhone, and starts spamming them all - suggesting that the original app installer has introduced them into a directory. I got a pretty good response, saying that Apple was investigating and would act to remove the application immediately (having first suggested that I shouldn't have downloaded the app before reading the negative 'warning' reviews - the first of which I had written having already downloaded the app!). Despite numerous emails requesting progress and responses saying 'we're looking into it', the resonse I received yesterday said, in summary, 'you should try making your complaint to Apple' - this from the iTunes support team at, erm, Apple!

It's starting to look like Apple's notoriously stringent and 'difficult' proceedures around their 'closed' ecosystem are delivering none of the security and safety benefits that were promised by their approach, and even when major issues (such as those you've highlighted) are identified, they take no action. I'm starting to wonder if this was truly what Steve Jobs wanted for his company? Do go and seek out an application called 'Fonebook' to see what I'm talking about (but as Apple say, do read the reviews first - they are your only safety net!).

February 7, 2012 @ 9:44pm
Show previous 1 comments
by Constance

Good investigative journalism on this Apple itunes story! I strongly suggest doing a similar investigation on the hacking of Twitter accounts. Twitter responds to complaints about accounts being hacked with exactly the same type of non-specific boilerplate answers. And never connects users to anyone who is willing to follow up on specific problems. This is even more serious than the iTunes problem; Twitter users in countries with repressive regimes are at serious risk of their lives from hacked Twitter accounts!

February 8, 2012 @ 4:24pm
by Robert

I agree with most of your story and I'm thankful that, finally, at least someone is publishing something. I don't know (and it appears no one knows) how to get Apple to respond, making all of us who have been hacked very 'hacked off'.

One minor clarification/exception regarding the subject of randomly creating gift card numbers that eventually hit upon one with a balance. As I read the forum (and for me personally), the gift card was converted into an iTunes credit balance, so it was the credit balance in iTunes that was extracted, not the value of a gift card. Without further conversation with each victim, I don't know how to confirm or refute the possibility of gift card access without iTunes access. But in my case, it was iTunes access.

Thanks again for your article and any attempts to get Apple to act.

February 11, 2012 @ 6:30am
by Hossan

About the 'hacking' of gift cards, I think that some people have already figured out the algorithms of the gift cards' serial numbers. What Apple needs to do is change it! And, it's the customers' responsibility to change their passwords every now and then.

August 13, 2013 @ 10:28pm
Type a keyword to search for a story or journalist