The Global Mail, a non-profit news site, had a big break this week: a feature about wormholes in iTunes that have let hackers abuse accounts as far back as 2010. In a typical scenario, an account is accessed without permission, any remaining gift card credit is used to buy apps and the user’s personal information, such as a PayPal account, is abused or altered.
“Those holding iTunes gift cards appear to be the most vulnerable. Once the theft had occurred, forum users say the solutions provided by Apple aren’t up to scratch,” said the Global Mail, noting than more than 1,000 instances have been reported on Apple forums.
Although the theft tends to range from just a couple dollars up to $500, the more troubling aspect is Apple’s lack of transparency about the problem. Apple appears to be taking the stance of issuing refunds, but (as is company protocol) not acknowledging the possibility of a systemic problem until they have a solution.
Ty Miller, chief technology officer at Pure Hacking, an IT security firm in Sydney, told the Global Mail that the hacking may be related to gift cards rather than iTunes accounts:
Still, gift card credit is what most forum users are reporting having lost, and Miller says the frequency of that complaint indicates that hackers may be using software that can generate valid gift card number for use in the iTunes store.
“There’s free software out there that lets you generate iTunes gift card numbers and you can actually use them in the iTunes store and buy stuff, so it may not be that the actual accounts are being hacked, it can just be the gift card numbers being used,” Miller says.
Why would hackers be using iTunes anyways? Can’t they figure out an easier way to watch that Real Housewives Reunion special? Perhaps the story of Vietnamese developer Thuat Nguyen offers a clue. In 2010, he hacked about 400 iTunes accounts to boost sales of his own apps. As the site notes, “But those hacked believe there is a pattern. And it’s true the similarities of their stories, the recurrence of purchases of the same apps, and identical amendments to some customers’ account information all suggest a coordinated effort.” Mr. Nguyen, is that you?