Apple: 400 iTunes Accounts Hacked

Artwork: Chip Taylor
Apple now admits 400 iTunes accounts were hacked and used by a Vietnamese developer, Thuat Nguyen, to push his iPhone apps to best seller status over the weekend. But here is the zinger; Apple is saying it was no big deal. Four hundred accounts equals 0.0003 percent of the over 150 million iTunes account holders, Apple points out.

The downplaying of the hack comes as little consolation to many who believed Apple's walled garden would offer protection from rogue developers and hackers. After all, Apple runs a very tight ship when it comes to the App Store. (See related: Apple's iPhone App Fraud: Where Were the App Police?)

Reports emerged on Sunday that Nguyen gamed the App Store ratings in the Books category, by purchasing his own apps using hacked iTunes accounts. At one point, the developer's apps occupied 42 of the top 50 apps sold in the Books section, and users reported purchases of up to $500 with their accounts.

Nguyen's apps had been removed from the App Store late as of Sunday, because he "violat[ed] the developer Program License Agreement, including fraudulent purchase patterns," Apple said. The company also claims that its iTunes servers were not compromised in any way.

When short, insecure passwords for iTunes accounts are used, users leave themselves open to hackers guessing their credentials. Compromised accounts are also nothing new: on the forums of the MacRumors site, there are dozens of replies in threads dating back from 2008 reporting such problems.

Following this incident, Apple will ask more frequently for your CCV number from your card (last three digits from the number at the back of the card), which is supposed to prove that the card in is the possession of the person making the purchase.

Developer suspicious of Apple's claims

Alex Brie, one of the developers who first reported the App Store problems with the Vietnamese developer, is suspicious of Apple's claims. After his calculations, Nguyen would have needed at least 3,000 hacked iTunes accounts to reach the ranking he had on Sunday in the App Store.

Brie, who also develops iPhone books apps, was affected by Nguyen's gaming of the App Store ratings. Despite Apple's claims, he speculates that to achieve such high ratings for his apps, Nguyen had to hack into Apple's iTunes servers and skip the normal security steps, or run an automated scripted program.

One final question

Apple is well known for its draconian App Store approval process, so there are questions over how Thuat Nguyen's apps got approved in the first place. The developer links for these apps led to a parked (inexistent) domain, and according to one report, they even featured copyrighted material.

Subscribe to the Security Watch Newsletter

Comments