Apple: iTunes 'hack' is no big deal
- — 07 July, 2010 23:25
News of hacked iTunes user accounts made headlines earlier this week, but it turns out only a very small fraction of users were affected. Apple says just 400 user accounts were compromised over the weekend, which equals to around 0.0003 percent of the over 150 million iTunes account holders.
Reports emerged on Sunday that a Vietnamese developer called Thuat Nguyen gamed the App Store ratings in the Books category, by purchasing his own apps using hacked iTunes accounts. At one point, the developer's apps occupied 42 of the top 50 apps sold in the Books section, and users reported purchases of up to US$500 with their accounts.
Nguyen's apps had been removed from the App Store late as of Sunday, because he "violat[ed] the developer Program License Agreement, including fraudulent purchase patterns," Apple said. The company also claims that its iTunes servers were not compromised in any way.
When short, insecure passwords for iTunes accounts are used, users leave themselves open to hackers guessing their credentials. Compromised accounts are also nothing new: on the forums of the MacRumors site, there are dozens of replies in threads dating back from 2008 reporting such problems.
Following this incident, Apple will ask more frequently for your CCV number from your card (last three digits from the number at the back of the card), which is supposed to prove that the card in is the possession of the person making the purchase.
Developer suspicious of Apple's claims
Alex Brie, one of the developers who first reported the App Store problems with the Vietnamese developer, is suspicious of Apple's claims. After his calculations, Nguyen would have needed at least 3,000 hacked iTunes accounts to reach the ranking he had on Sunday in the App Store.
Brie, who also develops iPhone books apps, was affected by Nguyen's gaming of the App Store ratings. Despite Apple's claims, he speculates that to achieve such high ratings for his apps, Nguyen had to hack into Apple's iTunes servers and skip the normal security steps, or run an automated scripted program.
One final question
Apple is well known for its draconian App Store approval process, so there are questions over how Thuat Nguyen's apps got approved in the first place. The developer links for these apps led to a parked (inexistent) domain, and according to one report, they even featured copyrighted material.