Reports of 'App Store Hacked' Greatly Exaggerated

Discussion in ' News Discussion' started by MacRumors, Jul 4, 2010.

  1. macrumors bot


    Apr 12, 2001


    Earlier today a report on TheNextWeb claimed that the App Store had been hacked and that a rogue developer had gamed the system by artificially driving sales to their eBooks. The rise in ranks were noted by competing developers who thought the rise strange given that the books all represented poorly coded Vietnamese-based books.

    A couple of reviews left on one of the books revealed that at least two customers had their iTunes accounts compromised to purchase the books. This led to theories that a widespread attack specifically tied to this developer could be the cause of the rise in ranks. Which then led to a cascade of headlines suggesting that everyone's iTunes account was suddenly vulnerable to a coordinated attack. While we do believe that this developer had been trying to game the iTunes ranking system, it's hard to believe that their efforts affected more than a few hundred accounts worldwide.

    The Book category in which we found these apps (note, they've been pulled from the App Store) is one of the lowest trafficked categories in the App Store. Based on sales reports we've received from developers, the number of daily sales required to hold a book in the #10-#50 rank seems to range from 50-250 sales a day. That means that even if every sale was based on a compromised account, the actual number of accounts involved are minuscule compared to the 100 million active iTunes accounts.

    Now, on a separate note, the issue of hacked or compromised iTunes accounts is a major issue, and one not to be dismissed. However, this issue has been ongoing for years and we're not convinced there has been a major spike in activity. iTunes accounts are easy targets since they are so common. In our forums we have had a running thread on the topic since January 2008. A few reports appear every few months. There do seem to be a higher number of reports arising the past day or two of other iTunes accounts being hacked. It's certainly possible there has been an acute rise in the past few days, but the added press coverage will certainly attract more stories. Meanwhile, a blog post from 2009 similarly attracted a number of "me too" reports.

    It's still a good idea to make sure your accounts are safe, and especially important to make sure you have good (and different) passwords on all your sensitive accounts. Common mistakes include easy to guess passwords and shared passwords across multiple accounts.

    Article Link: Reports of 'App Store Hacked' Greatly Exaggerated
  2. macrumors regular

    Sep 4, 2009
    The media loves to blow anything apple up. Great report.
  3. macrumors 603


    Feb 3, 2008
    Essex (UK)
    Wirelessly posted (Mozilla/5.0 (Linux; U; Android 1.6; en-gb; Dell Streak Build/Donut) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1)

    I just hope whomever gets targetted in these attacks gets their money back. :(
  4. macrumors 65816


    Oct 29, 2008
    Phoenix, AZ
    Hopefully someone hacks in again and starts adding more iPad apps....

    edit: Chaz UK, how'd you get a Dell Streak?
  5. macrumors 68020


    Jan 11, 2002
    Bay Area, Ca.
    mhmmm just a few hundred people have been ripped off, no big deal.
  6. macrumors newbie

    Jun 22, 2010
    Must have been a slow news day if all sites have to report on are a few phished iTunes accounts
  7. macrumors 603


    Feb 3, 2008
    Essex (UK)
    Wirelessly posted (Mozilla/5.0 (Linux; U; Android 1.6; en-gb; Dell Streak Build/Donut) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1)

    The streak has been out for a few weeks in the U.K! :)
  8. macrumors 65816


    Sep 20, 2002
    Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7)

    Hacked iTunes accounts could make for some big bucks in the App Store which is probably why they did it.
  9. macrumors 65816


    Nov 26, 2008
    California, USA
    The security and unhackability of Apple systems has been greatly exaggerated.
  10. macrumors 6502a

    Jun 3, 2006
  11. macrumors 6502a


    Apr 27, 2010
  12. macrumors 603


    Jun 28, 2004
    Chicago, IL
    Maybe people will bitch about this instead of the iPhone even if they didn't get hacked.
  13. macrumors regular

    Jun 2, 2007
    A couple of weeks ago a family friend was bitten by fraudulent transactions in iTunes, over $300+ worth.

    They were refunded, but I wonder if this is more widespread than the article implies? A whole bunch of illegal credit card transactions which push you up to the top could very well result in a bunch of perfectly legit transactions.

    Apple needs to tread carefully. There's no way to prove the guy who's selling the app was involved in the fraud. It could be a competitor trying to get him banned.
  14. macrumors 6502a

    Jun 3, 2006
    +1 either they got a trojan on their mac, or a rogue app got their info. Funny how android got a rogue app and everybody here was like "ZOMG!!!111"
  15. macrumors member

    Apr 28, 2010
    À propos password, their's an easy solution: make a horribly long password of 16-20 "letters" with special characters and numbers and letters together, you'll be safe for many, many years, if not your whole life.
  16. macrumors 6502a

    Jun 3, 2006
    Sure, if it was a brute force attack which I do not believe it was. I don't care how long your password is a trojan can get it just as easily.
  17. macrumors G3


    Jun 11, 2008
    Los Angeles, CA
    I suspect it was mostly no one. The lists change constantly and already those titles are mostly gone.

    So my guess is that this developer decided to try something cute. Created a bunch of fake accounts using hotmail, gmail etc. maybe a few friends mixed in (a couple of whom could have gotten nervous and decided to try 'hacked' to protect themselves or maybe he promised to repay them and didn't). Use some gift cards bought with cash and no one is any wiser.

    It's actually not the first time that someone padded figures and/or reviews. and on a potentially slow weekend it would be rather easy to do, especially on a system that updates very often.
  18. macrumors 68040


    Apr 3, 2009

    They probably had insecure passwords that were real words. This doesn' mean that the Apple computer is vulnerable to viruses (as some of you seem to think).
  19. macrumors 68000

    May 25, 2009
    This is only big news (like other big news stories about Apple recently) because Apple parades around and keeps talking about how much better they are than everyone else. Truth is, any major online retailer has to deal with hacking, every major phone manufacturer builds phones with defects, etc.

    Don't complain when you over-inflate your image and then people realize you're just a company run by humans like everyone else.
  20. macrumors 6502a

    Lord Vader

    Apr 26, 2010
    Death Star
    How do you know it was Mac and not PC?
  21. macrumors 68040


    Jun 26, 2009
    Burpelson AFB
    I'd better change my password. I guess "password" isn't considered secure :D
  22. macrumors newbie

    Aug 16, 2008
    i was one of the people that posted a link to the article. i haven't gone back and re-read it but i don't remember there being anything in the article that could be taken as an attack on apple. just a news story about what happened.

    i understand that apple and the iphone 4 have been taking a beating recently but seriously... people are losing money. a pretty good amount of it in some cases. do people here really think that saying it's only happened to a few hundred people means it isn't worth reporting?
  23. macrumors G5


    Jun 27, 2007
    AKA mor0s falls for phising scams, blame Apple for their lack of common sense.

    Some people are pretty clueless about the differences between account being hacked or user stupidity.
  24. macrumors member

    Apr 28, 2010
    I doubt that, why would websites recommend long passwords if they're just as inefficient as shorter ones as you claim ? In that case, who cares about long passwords ?
    That simply isn't true. I'm no expert of course, but I know that with 20 characters, there are quadrillions of combinations (I don't make the maths, I'll let you do it if it bothers you), making it impossible to crack, even for a machine and a life time isn't enough to crack it, and even if it was, finding another way to enter would take less time than find it.

    Length is much more secure than "complexity" (adding $ and otehr &, %) onto a short password, it's good, but not enough and won't be as efficient than using normal alphabet, random at best, with a 20+ long password.
  25. macrumors newbie


    Jun 16, 2010
    Nord, what he meant is that malware could, for example, detect your password as you type it, find it on your hard drive, etc. In that case it doesn't matter how many letter it's long, cause it wouldn't try to guess it by brute force.

Share This Page