Reports of 'App Store Hacked' Greatly Exaggerated

[tkingart]

whatever the number of people that were affected, this is what concerns me:

- Apple didn't catch it right away.
- There is an obvious flaw in a system when it allows volume purchases of something and/or allowing purchases of a suspicious nature.
- Our iTunes accounts are not safe as we have been led to believe.

I certainly hope it's greatly exaggerated, and that it leads to something put in place to protect consumers from it.

What does all this mean then (at the place you quoted your source from):
http://thenextweb.com/apple/2010/07/04/appstore-hack-itunes/

Edit:

I do think that "hacked" is the wrong word, it should read "compromised".

 

[vettori]

The Book category in which we found these apps (note, they've been pulled from the App Store) is one of the lowest trafficked categories in the App Store. Based on sales reports we've received from developers, the number of daily sales required to hold a book in the #10-#50 rank seems to range from 50-250 sales a day.

If this is true than it's similar to the productivity section.
For being around the #50 productivity rank you need 50-60 downloads / day.

 

[MorphingDragon]

The security and unhackability of Apple systems has been greatly exaggerated.

Or the poor people were running windows. (Therefore it was their faults )

 

[bushido]

i got a password change request which i never requested a few days ago ... i thought it was strange ... could it have anything to do with that?

 

[ChazUK]

Wirelessly posted (Mozilla/5.0 (Linux; U; Android 2.2; en-gb; Nexus One Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1)

I use secure passwords on all systems that I viably can, but how do you do a secure, long password practically for an iOS device?! IIRC, you can't copy-paste to the iTunes password dialog box. Likewise, the clipboard is accessible to apps, so it isn't secure either.

I suggest you look at 1Password from Agile Web Solutions. (Note: I'm just a happy customer for over a year.) It works with "most modern browsers", has an iPhone and iPad app, and a Windows version in beta. And has a nice password generator, too.

1Password has no problem with dozens (hundreds?) of accounts with passwords like ,XMcigSwMN#(87y59{VRR5]b or tot-maj-nu-al-wea, except that you may become irked when sites want no more than 14 or 22 characters in a password, or balk at fairly common symbols like { or @.

I love 1password too. If only they would create an Android apply to go with it too. The iPhone one worked well enough when I used it tho.

Great Alps!

 

[0dev]

The first thing I thought when I saw this story was that the App Store had clearly not been hacked, it's just that a few iTunes Store accounts were phished or something. By saying the App Store itself was hacked, they're down right lying.

 

[manu chao]

- Apple didn't catch it right away.
- There is an obvious flaw in a system when it allows volume purchases of something and/or allowing purchases of a suspicious nature.

So it is a flaw that using a large-ish number of accounts one can purchase a large-ish number of items?

- Our iTunes accounts are not safe as we have been led to believe.

Out iTunes accounts are as safe as the computers we type them on.

 

[muziq]

mhmmm just a few hundred people have been ripped off, no big deal.

It's no big deal if you weren't hit....

I was hit 3 times for about $180 which came out of my bank account today..

It's a pretty big deal to me, since money is tight these days...

I'm glad reports of this are all over the web so people who don't check their account at all, are now aware....

Hopefully, Apple will do the right thing and refund the money..

It's NOT just a few people hit... I'm guessing hundreds maybe thousands were hit, do you think everyone would come on here to post if they were?

 

[displaced]

"1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!"

Sandurz! Open the air-shield! ... (and change the combination on my luggage)

(hehe)

Anyway, everything we say here is pure conjecture. Usually, these sorts of events are caused by a bot-net waking up and putting to use the data (CC info, iTunes account info) that its zombie hosts have been collecting. That's a million miles from saying the iTunes service itself has been hacked, although that's by no means impossible.

It's difficult to see how an automated system could detect and prevent this sort of bot-net instigated exploit. Assuming it was a botnet, these purchases could well have appeared to come from each compromised machine's IP address -- and so, to an automated system, probably indistinguishable from a genuinely-popular app.

It'll be interesting to see the details of what's actually happened here...

 

[MH01]

The first thing I thought when I saw this story was that the App Store had clearly not been hacked, it's just that a few iTunes Store accounts were phished or something. By saying the App Store itself was hacked, they're down right lying.

So you have no idea how it was done, the numbers involved, but are happy to make claims that the store was not hacked. Maybe jumping to conclusions? Itunes accounts are part of the App store....

Just like any account, online store, bank etc, you itunes account can be compromised, everyone should be aware of suspicious behavior around their online transactions. The numbers of an attack are not the main issue, its the fact that hackers are now targeting apple systems/products (a will in the future as they get market share), and people need to stop thinking that macs are unhackable.

 

[androiphone]

regardless if there has just been a spike in the hacks or not there has always been complaints about this, one very simple solution is to ONLY use gift cards for all your itunes purchases therefore you can only loose what was left on the gift card (and who uses itunes for anything more than apps purchases anyway music is cheaper from amazon or 7 digital and TV and movies are cheaper buying them on DVD/bluray and then you are NOT locked into the itunes format and can watch them anywhere and rip then for ANY device you own)

 

[0dev]

So you have no idea how it was done, the numbers involved, but are happy to make claims that the store was not hacked. Maybe jumping to conclusions? Itunes accounts are part of the App store....

Just like any account, online store, bank etc, you itunes account can be compromised, everyone should be aware of suspicious behavior around their online transactions. The numbers of an attack are not the main issue, its the fact that hackers are now targeting apple systems/products (a will in the future as they get market share), and people need to stop thinking that macs are unhackable.

Macs didn't get hacked in this, we know what happened: individual iTunes Store accounts were compromised. Absolutely any type of online account, whether it's your iTunes account, Facebook account, or your account on this forum, is vulnerable to phishing or keylogger attacks.

Not everyone who uses the iTunes Store uses a Mac, remember, but those who do need to give a keylogger admin access for it to install. Those who use Windows obviously need to keep their security software up to date.

As for phishing, just don't be an idiot and make sure you use a modern internet browser and be wary of suspicious e-mails.

 

[lilo777]

Complaints about media reporting this issue are clearly misplaced

Even if this happened because user passwords were phished, it was important to make people aware of the issue because they might believe (falsely) that nobody would be interested in obtaining access to their account due to the inability to benefit from it. As this scam shows, this is a false assumption. People should treat iTunes accounts just as every other account linked to credit cards. Also keep in mind that in many cases iTunes accounts are used by children with skewed sense of security.

 

[charlituna]

It's not that it's just a hundred people are affected. It's that it doesn't seem like it's anything new.

Add to it that there's no proof that even one person was affected and you have what could amount to a non story.

yeah, a couple of folks said in the reviews they were hacked but perhaps they were part of this 'padding' ring. We really don't know. Perhaps as someone suggested this was done by someone pissed at the developer who wanted to get him tossed out. So they pad his numbers using a bunch of fake accounts, toss in a couple of 'i was hacked' messages to up the alleged dirty moves and sit back and see what happens

We simply don't know.

And even if they were "hacked" how do we know that it was some major spree and they weren't victims of letting a boy/girlfriend use their computer where the password was saved in the system bypassing manual entry each time. Or that they didn't use some idiot simple password, etc

There's very little proof of anything other than a momentarily surge in one guys sales that didn't even last more than a couple of hours

 

[JQW]

Could it be a money laundering scam?

There was a case in the UK a year or two ago where money launderers were using the iTunes store to convert cash into a bank account via iTunes vouchers. The vouchers were being used to purchase particular albums back then.

It's possible that the very same is happening here.

 

[lilo777]

Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7)



It's not that it's just a hundred people are affected. It's that it doesn't seem like it's anything new.

Ok let's say this month a hundred people are affected. But lets also say 100 people are affected every month. How often is this a story?

I believe it's a chronic problem not an acute one.

arn

I think the "new" thing here is the new way of monetizing the access to compromised accounts.

 

[TorontoLRT]

Wow, this is pretty scary. I'm going to change my iTunes password right away.

 

[Collected]

Regarding thenextweb article, so 5 tweets spread across 2 days from people saying their itunes account was compromised is evidence of a wide spread attack? Give me a break.

 

[SBlue1]

"1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!"

my luggage is still 00000

 

[Warbrain]

My account wasn't hacked - and it's unlikely that it will be even though so many websites are blowing this up for no reason - I did change my password just to be sure.

 

[Collected]

Macs didn't get hacked in this, we know what happened: individual iTunes Store accounts were compromised. Absolutely any type of online account, whether it's your iTunes account, Facebook account, or your account on this forum, is vulnerable to phishing or keylogger attacks.

Yep. Blizzard and "World of Warcraft" see this sort of problem on a huge scale all the time. Usernames and passwords captured by virus/malware/scam emails and then used by hackers to compromise the account to obtain in-game items that they then sell for real money. My credit card company is so paranoid about the problem they automatically block any transaction from Blizzard until I authorise it over the phone.. even on a monthly re-occuring subscription.

I suspect what may have gone down here is someone has harvested iTunes user/passes .. either via a virus or some other method local to the computers in question, created a bunch of items on the store and then made small purchases with each, hoping they'd slip under the radar. They probably didn't think about the store ranking issue.

If I had one of these transactions I'd run an immediate virus/malware scan to make sure nothing is on my computer.

 

[angryshortguy]

My account was hacked

My account took a hit when $65 was drained.
This is a much bigger problem then Apple refuses to acknowledge. I won't use iTunes anymore. I use Amazon for my book purchases and will jailbreak my iPad for any apps I need. Apple refuses to correct my loss with any kind of refund.
All apps purchased with my hacked account were Chinese apps.

 

[TacticalSS]

My account took a hit when $65 was drained.
This is a much bigger problem then Apple refuses to acknowledge. I won't use iTunes anymore. I use Amazon for my book purchases and will jailbreak my iPad for any apps I need. Apple refuses to correct my loss with any kind of refund.
All apps purchased with my hacked account were Chinese apps.

If Apple truly does refuse to refund call your bank and declare it as fraud. They better figure out a way to refund me my $1,400 otherwise I smell a lawsuit coming.

 

[Collected]

First point of call should always be your bank/credit card provider. Credit cards, at least here in the UK, are covered by anti fraud protection to refund you in situations like this. Apple may have sympathy and may refund themselves without your bank getting involved but you should always contact your bank first as a priority. And then start running anti virus scans etc.

 

[joshh2o]

So it is a flaw that using a large-ish number of accounts one can purchase a large-ish number of items?

Out iTunes accounts are as safe as the computers we type them on.

It really does seem like everyone loves to attack Apple when something goes wrong. There are lots of scams like this that happen on Windows every day, but you don't hear of anyone complaining.