Slashdot Mirror

← Back to Stories (view on slashdot.org)

iTunes Music Store Hole Discovered, Patched

Posted by pudge on from the mmmmm-free-music dept.

prockcore writes "A vulnerability has been found in Apple's iTunes Music Store. The flaw enabled hackers to hijack other people's accounts by knowing only their email address, and download music with it. Apple has patched the hole."

26 comments

  1. Good thing by Anonymous Coward · · Score: 3, Insightful

    I'm glad to hear that the Canadian Researcher didn't exploit the hole and no one (so far) has been bit in the ass by the error. This is how to handle vulnerabilities IMHO.

  2. Well by aphex2000 · · Score: 4, Funny

    Now we know where those huge amounts of downloads are coming from :)

    1. Re:Well by lanej0 · · Score: 3, Funny

      Your mom?

      Just kidding. It was Steve J. Anyone else see how many songs he was downloading at the launch? ;-)

    2. Re:Well by ionyka · · Score: 3, Interesting

      I doubt that this could have affected it enough to make the estimates of the number of downloads significantly different. But atleast they found it fast enough and fixed it so it didnt get out of hand.

    3. Re:Well by Anonymous Coward · · Score: 2, Funny

      I've been trying for days to guess the password to the steve@mac.com account. So far no success. :-(

    4. Re:Well by Anonymous Coward · · Score: 0
      I doubt it as well, but I'd like to know for sure.

      13.12.11.10.9.8.7.6.5.4.3.2.1

  3. worm? by rumpledstiltskin · · Score: 3, Funny

    maybe they should have used a worm to penetrate the apple..

    1. Re:worm? by Anonymous Coward · · Score: 0

      Whoever marked that as Funny can die now.

  4. MSTunes by jolshefsky · · Score: 5, Funny

    Just wait until Microsoft copies this service.

    --
    --- Jason Olshefsky

    Karma: Poser (mostly affected by adding this line long after everyone else did)

    1. Re:MSTunes by cpeterso · · Score: 2, Interesting


      free music! hmm, if the RIAA can sue Napster for enabling users to download free music, can the RIAA sue Apple or Microsoft if security holes in their music services enable users to download free music?

      --
      cpeterso
    2. Re:MSTunes by Daveman692 · · Score: 1

      Someone mod this parent up, one of the most insightful things I have read in a while.

    3. Re:MSTunes by sweet+reason · · Score: 2, Insightful

      can the RIAA sue Apple or Microsoft if security holes...

      does the RIAA care _who_ pays for the download, so long as _someone_ does?

      --
      Everything should be made as simple as possible, but not simpler. -- A.E.
    4. Re:MSTunes by Anonymous Coward · · Score: 0

      Really? Let me introduce you to this brilliant author named Dr. Seuss.

  5. Stupid error. by BoomerSooner · · Score: 4, Insightful

    How does something as simple as not passing authentication objects/info to the browser get past Apple's QA? Session Objects, Cookies and Hidden form fields are never secure from the user. Amazing this still happens.

    Ah, it feels like 1996 again.

    1. Re:Stupid error. by 2sleep2type · · Score: 5, Interesting
      I agree this is a really stupid mistake.

      However in my experience of developing applications for a lot of 'big name' organisations. The QA, testing and other checking people have no idea of the issues let alone an understanding of how to really 'break' an application.

      My general experience is if I don't QA my own work, as long as it's functionally correct no one else will question it.

      It's scary, one of the many reasons I'm very careful when I check my credit card bill

    2. Re:Stupid error. by MobyDisk · · Score: 4, Insightful

      I've never seen an organization that had QA done by technical persons. But this type of stuff is out of the realm of QA. QA did there job by verifying that the functionality worked as described. But this wasn't a QC mistake, this was a design flaw. The design describes where the data comes from and where it is stored.

    3. Re:Stupid error. by sco08y · · Score: 1

      The only reason it's so painful is that it's so incredibly easy to spot w/ HTML.

      At least when all this stuff was binary you had an excuse!

      On the other hand, part of the reason is that HTML and HTTP don't encourage you to separate authentication from content and presentation.

      The whole thing is one meaningless "tree" pasted on to what are basically email headers.

      There's a reason no other network protocols were ever designed that way.

  6. Hackers? by bluephone · · Score: 1, Interesting

    s/hackers/jackasses who think it's cool to defraud and steal, and make the rest of real hackerdom look bad.

    --
    jX [ Make everything as simple as possible, but no simpler. - Einstein ]
  7. is it fixed? by Anonymous Coward · · Score: 0

    I like how wired gave a (fairly) detailed description of the problem.. but no detailed description of the FIX.. so is this problem "really" fixed?

    1. Re:is it fixed? by Finque · · Score: 1

      Apple representatives said the company corrected the problem Friday, but declined to provide details of the fix.

  8. Go work in banking, the military or any other high by BoomerSooner · · Score: 4, Insightful

    risk area, where if you and QA don't catch something like this, you're fired.

    It makes you code better knowing screwing up could cost you your job. Although in situations like that you usually get more realistic development schedules compared to the corporate schedule of get it done now. (Or at least that's what I've experienced.)

  9. direct downloads are better! by Anonymous Coward · · Score: 0

    direct download links are better! heheh...check out earth2willi.com for lots of free music downloads to install on your new iPod! It's registration and advertisement free, untouched by the RIAA, available in various genre and fileformats, complete with print resolution artwork, and uncrippled by DRM.

  10. semi-offtopic by Magius_AR · · Score: 1

    I find it very funny that there's only been like 23 posts on this topic. If it was Windows or IIS or something, there'd be like 500 minimum.