comments

Hackers target Apple -- not!

By Philip Elmer-DeWitt July 4, 2011: 8:29 AM ET

The vulnerability of 225 million iTunes credit card accounts has been grossly exaggerated

Source: Engadget

The headlines over the July 4th weekend were pretty scary.

Wall Street Journal: "Computer-Hacking Group Targets Apple In Latest Attack"
Financial Times: "Hackers Claim Attack on Apple Server"
Gizmodo: "Apple Is Latest Company To Feel the Might of AntiSec's Hacking Power"

Coming less than a month after Steve Jobs unveiled Apple's (AAPL) iCloud project, the reports had a predictably unsettling effect.

"WOW," wrote The Ravenette on the Huffington Post's comment stream. "I guess we cant trust the Apple Cloud to securely contain all of our most important data. ... Hey if you all give me your credit card numbers and pin numbers I will keep them safe by painting them on a wall in Time Square."

In fact, the security of Apple's iTunes database is the envy of many an organization (e.g. Sony, the CIA, the U.S. Senate and the Arizona Department of Public Safety) that has felt the sting of Anonymous, Lulz Security and AntiSec (the splinter group that claimed responsibility for Sunday's prank). In eight years of operation, there has yet to be a credible claim of data hacking into iTunes or the Apple Store.

What happened over the weekend was certainly not that, as the Twitter message that announced it made clear:

Source: 9to5Mac

"Not being so serious, but well," the message posted by @AnonymousIRC read. "Apple could be target, too. But don't worry, we are busy elsewhere."

The Tweet pointed readers to a page on PasteBin where the fruits of such exploits are often posted. It contains what appears to be a list 27 user names and encrypted passwords from an SQL database for an online survey -- since taken offline -- at the Apple Business Intelligence website.

Unless adequately protected, SQL databases are famously vulnerable to SQL injection attacks -- one of the top 10 known vulnerabilities of Web applications, according to the Open Web Application Security Project. Presumably, Apple knows better than to leave the databases holding those 225 million iTunes one-click credit card open to SQL injections.

Below: The file that got posted on PasteBin.

SITE: http://abs.apple.com:8080/ssurvey/survey?id=

db: mysql table: users

Hackers claim to have compromised Apple Server... but it is not what the news media is making it out to be... Security of the iTunes database has not been breached! —PING!

Apple iTunes Credit Card security is still safe Ping!

Don't attack people!

Don't respond to the Anti-Apple Thread Trolls!
PLEASE IGNORE THEM!!!

If you want on or off the Mac Ping List, Freepmail me.

Source of "Hackers target Apple -- Not!"—CNN Money

If those are encrypted passwords, there’s another security failure. Three passwords are repeated, two of them repeated twice and one of them is repeated four times. That would mean that the users kept the default password that was assigned to them.

Default passwords are just too easy to guess what they are.

The vulnerability of 225 million iTunes credit card accounts has been grossly exaggerated.

That being said, I had someone in Asia hijack my iTunes account a while back and buy bunch of virtual poker chips. I no longer tie a credit card to that account. The max I ever keep there at one time is a $25 gift card credit.

> The vulnerability of 225 million iTunes credit card accounts has been grossly exaggerated

Sure, but the purpose has been served:

Get "Apple" and "Security Breach" into the same headline! Page hits! Page hits!

Tech news writer are whores. Even the ones I like, that I agree with, are whores.

ANYTHING to get that headline with "Apple" in it. ANYTHING.

What does this rag have to do with Fort Worth?