Slashdot Mirror

← Back to Stories (view on slashdot.org)

Users Report Foul Play In App Store Rankings, Purchases

Posted by timothy on from the shouldn't-be-an-app-for-that dept.

An anonymous reader writes "Two iPhone App developers have spotted what appears to be a hacking of the App store rankings by a rogue developer. The rankings in the books category of the US iTunes store features 40 out of 50 apps by the same app developer, Thuat Nguyen. What's more concerning is that it seems individuals' iTunes accounts have been hacked to make mass purchases of that one developer's apps." Among the comments attached to the linked story is one which suggests the security problem may lie elsewhere.

21 of 144 comments (clear)

  1. Hrm by therealobsideus · · Score: 4, Insightful

    Perhaps this is just another reason why I don't use iTunes. If I like an artist I download, I'll buy their CD - if not, I delete it. And makes it much easier to convert a CD to ogg or flacs than with a lot of their Apple's AAC crap.

    1. Re:Hrm by socceroos · · Score: 5, Insightful

      Meh, every online store is going to have its weaknesses. Unfortunately, most of the time, the greatest weakness is the users themselves.

      Not trying to justify iTunes - I hate it. Just saying that I doubt its any more 'hackable' than the next online store.

    2. Re:Hrm by dlanod · · Score: 4, Informative

      I do use iTunes and the level of reviews are generally so crap as to be useless anyway. They tend to either be "this crashed on me once, 1 star" or "AWESOME!!! 5 stars!". That's not even mentioning the frequent "I don't want to buy this app because it looks crap, 1 star" reviews that seem to pop up and aim to be even more useless.

    3. Re:Hrm by Anonymous Coward · · Score: 5, Insightful

      Not liking assholes and viewing greed as a negative human quality doesn't necessarily make one a communist.

    4. Re:Hrm by whisper_jeff · · Score: 3, Informative

      Perhaps this is just another reason why I don't use iTunes.

      Do you pay for everything with cash? And, I mean _everything_. No, really - you do realize that this situation is not unique to iTunes, right? Hackers could go after your Amazon account, your Hydro account, or even your bank account. If the information is stored on a computer, hackers can (and have) found ways to go after it. It is not unique to iTunes.

      If you don't like iTunes (as you clearly don't), just don't use it because you don't like it - there's no need to make up excuses. Otherwise, back it up and cancel your bank account and start paying for everything by cash. (*)

      *I've heard of some people, who were sufficiently concerned about their information getting into the wrong hands, who do exactly that. It's a bit extreme, in my opinion but they at least put their money where their mouth is, so to speak.

    5. Re:Hrm by Anonymous Coward · · Score: 3, Funny

      You must not be from America.

    6. Re:Hrm by sortius_nod · · Score: 3, Insightful

      Exactly.

      It's kind of like blaming Blizzard for people's WoW accounts getting hacked. Your account has something someone wants, they'll try to get it. If you use weak passwords, well, no one's fault but your own there.

    7. Re:Hrm by Mitsoid · · Score: 5, Informative

      Other problem with iTunes,
      "All sales are final."

      From Terms and conditions, security section:
      "You are entirely responsible for all activities that occur on or through your Account, and you agree to immediately notify Apple of any unauthorized use of your Account or any other breach of security. Apple shall not be responsible for any losses arising out of the unauthorized use of your Account. "

      So better hope something else protects those people harmed, as I don't think California law (The "fall back" for iTunes T&C) will help much if a hacker steals $100-300 from you from another country.

      Glad I stopped storing my CC info with iTunes after they pulled products I paid for from the store and wouldn't let me re-download. They may have nice hardware, but their policies are horrible for end-users.

    8. Re:Hrm by Mitsoid · · Score: 4, Insightful

      Except Blizzard has a track record of account restoration and decent customer service in this area.

      In reality, most of the time it's neither party's fault -- The recent Adobe Flash exploit hurt a lot of people as they targeted flash advertisements for wow websites... even legitimate websites could be infected as they have to show advertisements to stay in business.

      Thankfully, Blizzard realizes that blaming end-users when a large, large percentage did not 'ask' for it, only costs the company money in the end when users stop using their service.

    9. Re:Hrm by BasilBrush · · Score: 3, Informative

      That's not even mentioning the frequent "I don't want to buy this app because it looks crap, 1 star" reviews that seem to pop up and aim to be even more useless.

      It would be pretty pointless mentioning them because for at least two years it's been impossible to review/rate an app unless you've actually bought it.

    10. Re:Hrm by jrumney · · Score: 4, Informative

      Let your credit card company fight that fight. They are obliged to refund you, and have bigger pockets for lawyers to make Apple accept liability for its own security problems.

    11. Re:Hrm by shutdown+-p+now · · Score: 4, Insightful

      I fail to see what relevance Apple (much less Steve Jobs personally) has here. This is about hacked user accounts. This kind of thing is an unfortunate fact of life, keeping in mind that social engineering attacks take up the majority in security breaches. There's only so much Apple can do to mitigate this, and I don't see that they missed anything.

      Heck, if anything, Apple's "walled garden" model - for all my dislike of it - is most efficient at dealing with these kinds of abuses. When malware authors have to go to the effort of hacking user accounts to get their crap shoved at users, you know they're tight against the wall already. In comparison, with Android, you just call yourself "Googe" (note spelling) and upload your malware directly.

      (How do I know it's malware? I haven't installed it, of course - but when all their apps, including a non-multiplayer five-in-a-row game, request "full network connectivity" and "location information" permissions on install, you know something's fishy; the fake company name is just icing on the cake.)

      The irony is that I can't even use Market feature to report it as malware, or at least write a 1-star review with a warning, because you can only write reviews/complaints once you install the app...

  2. Fowl Play by brianwells · · Score: 5, Funny

    The only fowl play I've found so far is Angry Birds.

  3. it's a new Service "iBuy" by s0litaire · · Score: 3, Funny

    Guys this is apple! So it's not a hack or flaw!

    Apple is taking the hassle of you actually wanting to buy things. Let Apple (Or un-approved 3rd party) decide which apps you're going to buy...

    --
    Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
  4. Possible details from AppleInsider by immaterial · · Score: 5, Informative

    Last month, a user posted a forum comment stating, "I am going to tell you the truth about what has been going on with your account." The anonymous user then explained, "let’s say you are a Chinese guy or girl with an iPhone or iPad and you want to get some music, movie or app. How you do you do it? You go to http://www.taobao.com/ The (by far) largest online market in the world and type iTunes in the search bar. Immediately you will be presented with a list of more than 7,000 items.

    "You want to save money, so you filter the list to show only items under RMB25.00- (US $3.60) and still you have more than 3,600 offers. So you pick some one at random like, as an example, this one: http://item.taobao.com/item.htm?id=5516054242. You open the online chat and you transfer him RMB22.00 (US $3.20). He ask you in the online chat to provide a new iTunes account name and password, and you comply: User: qiuwge3foe3333@yahoo.com Password: qwer34567

    "He asks you to wait 10 minutes online. He has already a number of user accounts under surveillance, so he enters in the iTunes account of his victim, change his/her username and password to the one you provided, and come back to ask you try it and approve the transaction so Taobao.com releases his money. Even if you cant read Chinese you can see very clearly in his item description that this account will not last more than 24 hours (the time for his victim to see the charges mounting and then cancel the credit card).

    "He claims that he selects 'his' accounts so you can drain at least US $250.00 from them before they get cancelled. He urges you to be fast and buy and download as fast as you can. Start immediately! Keep the download going on for the full 24 hours! There is no warranties on how long it will last! Because he already changed the username and password, the victim can’t stop you.

    More details here though so far there's no explanation of how the accounts are getting hacked.

  5. Sounds like phishing... by maccodemonkey · · Score: 4, Insightful

    Any bets? Sounds like there were suddenly a bunch of phished accounts that got "activated."

  6. You've been Steeved! by Animats · · Score: 3, Insightful

    Other problem with iTunes, "All sales are final." .... From Terms and conditions, security section: "You are entirely responsible for all activities that occur on or through your Account, and you agree to immediately notify Apple of any unauthorized use of your Account or any other breach of security. Apple shall not be responsible for any losses arising out of the unauthorized use of your Account. "

    That's so Steve Jobs.

  7. Use temporary credit card numbers online by perpenso · · Score: 4, Informative

    Some banks / credit cards allow you to generate temporary credit card numbers with a limit that you specify. The ones I've seen in use also tie themselves to the first vendor they are used with. The temporary credit card number is effectively an alias for your real number. Personally I think these temporary numbers are far better to use online than a real credit card number.

    --
    Perpenso Calc for iPhone. Classic Scientific and HEX functionality plus RPN, fractions, complex numbers, 32/64-bit signed/unsigned bitwise operations, UTF-8, IEEE FP decode, and RGB decode with color preview.

    1. Re:Use temporary credit card numbers online by noidentity · · Score: 5, Informative

      BTW, Slashdot has an automatic signature feature, which gives you two benefits: you don't have to add it manually after each post, and those readers who aren't interested in the clutter of signtures can turn them off. When you add it manually, you annoy the latter group.

  8. Occam's Razor by webdog314 · · Score: 4, Insightful

    After reading the article, the other linked article, and the comments posted on the linked site, I have to ask what's more likely here: that approximately 30 people out of 100+ millions of iTunes users have infected systems with key-loggers and were phished, or that the App Store has some huge security problem?

    Just saying.

  9. Re:Ratings? by delinear · · Score: 3, Interesting

    Ratings on the Android market place seem to be even worse than those described above for the Apple app store. I frequently see people giving apps one star because it crashed on their phone, even though their phone is often either not on the supported list (usually because it lacks the resources to handle said app), or even if the developer specifically states that it doesn't work on handset X for reasons a, b and c. Alternately I see spammers everywhere giving five stars but not because they've even used the app, just because they want to post a link to their website in the comments. I'll always use proper app review sites to determine which apps are actually worth using - the reviews on the market place are worse than useless.

    In fact, the whole filtering of the market place is one of the few disappointments with my HTC - I don't know if this is because people are expected to go online to search, but there are just too few options. I can either search on top rated (which is split into paid and free, but is rubbish for the reasons I've already stated) or "just in", which I assume is ordered by timestamp, but is a mix of free and paid and seems to be useless anyway because it doesn't order by the original release date of the app, but rather by the last version update - so you end up with the position that apps are being updated several times a week, I don't know if this is a cynical move to stay at the top of the "just in" list or if these apps really are being updated for the better, but either way it has the same result on finding anything.

    And don't even get me started on the millions of useless screensaver/wallpaper/soundboard/etc apps. Why release one app which allows users to select from 1,000 different wallpapers using a web service when you can just package them as 1,000 different apps each with only 1 wallpaper and flood the hell out of the market place? Ugh, indeed.