There was an error in this gadget

Tuesday, July 6, 2010

iTunes accounts plundered, Apple's App store needs better control mechanisms

NOTE: The following is reprinted from Help Net Security http://www.net-security.org/

YouTube isn't the only online service whose regular operation has been disrupted this weekend - the Apple App Store has been targeted and even some iTunes accounts have been compromised by money-loving criminals.


It all started on Sunday, when The Next Web noticed that the list of the top 50 best selling applications in the "Books" category contained 40 applications from the same developer - one Thuat Nguyen.

Further investigation into the matter revealed that the list was very recently populated by those applications. Apparently, a number of people complained that their iTunes accounts had been hacked and used to buy diverse apps (including those developed by Nguyen). The price of these apps ranges from a couple to a hundred dollars.

Apple has obviously been notified. They reacted by removing all the apps of that particular developer while advising users to change their account passwords. Apple will likely interrupt what payments to the developer they still can stop.

But, this particular instance revealed a bigger problem - Nguyen isn't the only developer who took advantage of hacked accounts to fill his own pockets and put his applications high on the "popular" lists in hopes of getting more attention and money from legal transactions. As it turns out, "app farms" abound in the Apple App Store - one notable example is a farm of 4568 applications, all more or less worthless, developed by Brighthouse Labs.

These application farms are held by developers based in Asia - they are probably counting on that fact to keep them from being sued or arrested. The links the developers provided for supposed support and business pages direct users to non-existent websites.

I'm sure that Apple will have to think about putting some mechanisms in place to prevent things like this from happening - a tighter control over what developers put in the App store is definitely in order. Which won't make most developers happy as it may cause further delays to getting apps posted. Concerning the hacked accounts, it is yet unknown how that happened. It is possible that account credentials have simply been phished and Apple is blameless when it comes to that particular aspect of this case.

In the meantime, if you are an Apple App store user, you are advised to check your purchases and to get in touch with Apple if you find that your account has been used to buy applications you did not buy yourself. Also, change your iTunes account password.

No comments:

Post a Comment