Reports of 'App Store Hacked' Greatly Exaggerated

[MacRumors]

Earlier today a report on TheNextWeb claimed that the App Store had been hacked and that a rogue developer had gamed the system by artificially driving sales to their eBooks. The rise in ranks were noted by competing developers who thought the rise strange given that the books all represented poorly coded Vietnamese-based books.

A couple of reviews left on one of the books revealed that at least two customers had their iTunes accounts compromised to purchase the books. This led to theories that a widespread attack specifically tied to this developer could be the cause of the rise in ranks. Which then led to a cascade of headlines suggesting that everyone's iTunes account was suddenly vulnerable to a coordinated attack. While we do believe that this developer had been trying to game the iTunes ranking system, it's hard to believe that their efforts affected more than a few hundred accounts worldwide.

The Book category in which we found these apps (note, they've been pulled from the App Store) is one of the lowest trafficked categories in the App Store. Based on sales reports we've received from developers, the number of daily sales required to hold a book in the #10-#50 rank seems to range from 50-250 sales a day. That means that even if every sale was based on a compromised account, the actual number of accounts involved are minuscule compared to the 100 million active iTunes accounts.

Now, on a separate note, the issue of hacked or compromised iTunes accounts is a major issue, and one not to be dismissed. However, this issue has been ongoing for years and we're not convinced there has been a major spike in activity. iTunes accounts are easy targets since they are so common. In our forums we have had a running thread on the topic since January 2008. A few reports appear every few months. There do seem to be a higher number of reports arising the past day or two of other iTunes accounts being hacked. It's certainly possible there has been an acute rise in the past few days, but the added press coverage will certainly attract more stories. Meanwhile, a blog post from 2009 similarly attracted a number of "me too" reports.

It's still a good idea to make sure your accounts are safe, and especially important to make sure you have good (and different) passwords on all your sensitive accounts. Common mistakes include easy to guess passwords and shared passwords across multiple accounts.

Article Link: Reports of 'App Store Hacked' Greatly Exaggerated

[Dainin]

The media loves to blow anything apple up. Great report.

[ChazUK]

Wirelessly posted (Mozilla/5.0 (Linux; U; Android 1.6; en-gb; Dell Streak Build/Donut) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1)

I just hope whomever gets targetted in these attacks gets their money back.

[adamvk]

Hopefully someone hacks in again and starts adding more iPad apps....

edit: Chaz UK, how'd you get a Dell Streak?

[JoeG4]

mhmmm just a few hundred people have been ripped off, no big deal.

[mikemac11]

Must have been a slow news day if all sites have to report on are a few phished iTunes accounts

[ChazUK]

Wirelessly posted (Mozilla/5.0 (Linux; U; Android 1.6; en-gb; Dell Streak Build/Donut) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1)

Quote:

Originally Posted by adamvk

Hopefully someone hacks in again and starts adding more iPad apps....

edit: Chaz UK, how'd you get a Dell Streak?

The streak has been out for a few weeks in the U.K!

[DipDog3]

Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7)

Hacked iTunes accounts could make for some big bucks in the App Store which is probably why they did it.

[iphones4evry1]

The security and unhackability of Apple systems has been greatly exaggerated.

[chris200x9]

I was hacked, true story.

[RonHC]

Save the children

[Warbrain]

Maybe people will bitch about this instead of the iPhone even if they didn't get hacked.

[abhibeckert]

A couple of weeks ago a family friend was bitten by fraudulent transactions in iTunes, over $300+ worth.

They were refunded, but I wonder if this is more widespread than the article implies? A whole bunch of illegal credit card transactions which push you up to the top could very well result in a bunch of perfectly legit transactions.

Apple needs to tread carefully. There's no way to prove the guy who's selling the app was involved in the fraud. It could be a competitor trying to get him banned.

[chris200x9]

Quote:

Originally Posted by iphones4evry1

The security and unhackability of Apple systems has been greatly exaggerated.

+1 either they got a trojan on their mac, or a rogue app got their info. Funny how android got a rogue app and everybody here was like "ZOMG!!!111"

[Nord]

À propos password, their's an easy solution: make a horribly long password of 16-20 "letters" with special characters and numbers and letters together, you'll be safe for many, many years, if not your whole life.

[chris200x9]

Quote:

Originally Posted by Nord

À propos password, their's an easy solution: make a horribly long password of 16-20 "letters" with special characters and numbers and letters together, you'll be safe for many, many years, if not your whole life.

Sure, if it was a brute force attack which I do not believe it was. I don't care how long your password is a trojan can get it just as easily.

[charlituna]

Quote:

Originally Posted by ChazUK

Wirelessly posted (Mozilla/5.0 (Linux; U; Android 1.6; en-gb; Dell Streak Build/Donut) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1)

I just hope whomever gets targetted in these attacks gets their money back.

I suspect it was mostly no one. The lists change constantly and already those titles are mostly gone.

So my guess is that this developer decided to try something cute. Created a bunch of fake accounts using hotmail, gmail etc. maybe a few friends mixed in (a couple of whom could have gotten nervous and decided to try 'hacked' to protect themselves or maybe he promised to repay them and didn't). Use some gift cards bought with cash and no one is any wiser.

It's actually not the first time that someone padded figures and/or reviews. and on a potentially slow weekend it would be rather easy to do, especially on a system that updates very often.

[faroZ06]

They probably had insecure passwords that were real words. This doesn' mean that the Apple computer is vulnerable to viruses (as some of you seem to think).

[mikethebigo]

This is only big news (like other big news stories about Apple recently) because Apple parades around and keeps talking about how much better they are than everyone else. Truth is, any major online retailer has to deal with hacking, every major phone manufacturer builds phones with defects, etc.

Don't complain when you over-inflate your image and then people realize you're just a company run by humans like everyone else.

[Lord Vader]

Quote:

Originally Posted by chris200x9

+1 either they got a trojan on their mac, or a rogue app got their info. Funny how android got a rogue app and everybody here was like "ZOMG!!!111"

How do you know it was Mac and not PC?

[ValSalva]

I'd better change my password. I guess "password" isn't considered secure

[Jazerai]

i was one of the people that posted a link to the article. i haven't gone back and re-read it but i don't remember there being anything in the article that could be taken as an attack on apple. just a news story about what happened.

i understand that apple and the iphone 4 have been taking a beating recently but seriously... people are losing money. a pretty good amount of it in some cases. do people here really think that saying it's only happened to a few hundred people means it isn't worth reporting?

http://forums.macrumors.com/showthread.php?t=407990

[Consultant]

AKA mor0s falls for phising scams, blame Apple for their lack of common sense.

Quote:

Originally Posted by mikethebigo

This is only big news (like other big news stories about Apple recently) because Apple parades around and keeps talking about how much better they are than everyone else. Truth is, any major online retailer has to deal with hacking, every major phone manufacturer builds phones with defects, etc.

Don't complain when you over-inflate your image and then people realize you're just a company run by humans like everyone else.

Some people are pretty clueless about the differences between account being hacked or user stupidity.

[Nord]

Quote:

Originally Posted by chris200x9

Sure, if it was a brute force attack which I do not believe it was. I don't care how long your password is a trojan can get it just as easily.

I doubt that, why would websites recommend long passwords if they're just as inefficient as shorter ones as you claim ? In that case, who cares about long passwords ?
That simply isn't true. I'm no expert of course, but I know that with 20 characters, there are quadrillions of combinations (I don't make the maths, I'll let you do it if it bothers you), making it impossible to crack, even for a machine and a life time isn't enough to crack it, and even if it was, finding another way to enter would take less time than find it.

Length is much more secure than "complexity" (adding $ and otehr &, %) onto a short password, it's good, but not enough and won't be as efficient than using normal alphabet, random at best, with a 20+ long password.

[mauree]

Quote:

Originally Posted by Nord

I doubt that, why would websites recommend long passwords if they're just as inefficient as shorter ones as you claim ? In that case, who cares about long passwords ?
That simply isn't true. I'm no expert of course, but I know that with 20 characters, there are quadrillions of combinations (I don't make the maths, I'll let you do it if it bothers you), making it impossible to crack, even for a machine and a life time isn't enough to crack it, and even if it was, finding another way to enter would take less time than find it.

Length is much more secure than "complexity" (adding $ and otehr &, %) onto a short password, it's good, but not enough and won't be as efficient than using normal alphabet with a 20+ long password. One letter adds many, many more possibilities.

Nord, what he meant is that malware could, for example, detect your password as you type it, find it on your hard drive, etc. In that case it doesn't matter how many letter it's long, cause it wouldn't try to guess it by brute force.