Users Report Foul Play In App Store Rankings, Purchases

An anonymous reader writes "Two iPhone App developers have spotted what appears to be a hacking of the App store rankings by a rogue developer. The rankings in the books category of the US iTunes store features 40 out of 50 apps by the same app developer, Thuat Nguyen. What's more concerning is that it seems individuals' iTunes accounts have been hacked to make mass purchases of that one developer's apps." Among the comments attached to the linked story is one which suggests the security problem may lie elsewhere.

Hrm

[therealobsideus]

Perhaps this is just another reason why I don't use iTunes. If I like an artist I download, I'll buy their CD - if not, I delete it. And makes it much easier to convert a CD to ogg or flacs than with a lot of their Apple's AAC crap.

Re:Hrm

[Anonymous Coward]

Jobs doesn't care as long as he can by another yacht. Someone will mod this troll because they are an apple fanboy. But the truth is he is as unscrupulous as Balmer, Larry Ellison, and a world of corporations and lawyers. Apple, just like the rest, will only do as little as they need to as long as they have a bunch of sheep willing to buy whatever he trots out on stage next.

Re:Hrm

[socceroos]

Meh, every online store is going to have its weaknesses. Unfortunately, most of the time, the greatest weakness is the users themselves.

Not trying to justify iTunes - I hate it. Just saying that I doubt its any more 'hackable' than the next online store.

Re:Hrm

[Anonymous Coward]

Not liking assholes and viewing greed as a negative human quality doesn't necessarily make one a communist.

Sounds like phishing...

[maccodemonkey]

Any bets? Sounds like there were suddenly a bunch of phished accounts that got "activated."

Re:Possible details from AppleInsider

[girlintraining]

More details here though so far there's no explanation of how the accounts are getting hacked.

It's not hard to guess: Average people use the same password for just about everything, or simple permutations of the same password. Get access to any source that the user entered a password for, gain access to everything else.

Re:Hrm

[sortius_nod]

Exactly.

It's kind of like blaming Blizzard for people's WoW accounts getting hacked. Your account has something someone wants, they'll try to get it. If you use weak passwords, well, no one's fault but your own there.

Re:Sounds like phishing...

[gsgriffin]

Yep. Email for you: "Secure your iTunes account now...All iTunes customers are encouraged to log on to their account and change their passwords now. CLICK HERE TO GO TO THE SECURE WEBSITE. Enter your personal info and we will make sure you are protected...blah blah"

I hate to think that 20 years from now we will still have people all around the world falling victim to phishing. Everyday I get princes and princesses from all around the world that need my help in transferring millions of dollars to the US. Every time I delete the email, I think, "lots of people are falling for this today and losing their money....sad!"

Re:Hrm

[Mitsoid]

Except Blizzard has a track record of account restoration and decent customer service in this area.

In reality, most of the time it's neither party's fault -- The recent Adobe Flash exploit hurt a lot of people as they targeted flash advertisements for wow websites... even legitimate websites could be infected as they have to show advertisements to stay in business.

Thankfully, Blizzard realizes that blaming end-users when a large, large percentage did not 'ask' for it, only costs the company money in the end when users stop using their service.

Re:Hrm

[Compholio]

But corporations have a right to make profits!!! The public good is just a concept after all, so it can't have any rights. </sarcasm>

Re:Jobs answer

[Anonymous Coward]

This joke DOESN'T MAKE SENSE. Stop modding bullshit.

Re:The hell?

[Inf0phreak]

If you know how the name Nguyen is supposed to be pronounced, you'll be completely blind to the second half of this attempted joke ("attempted joke"---almost sounds like a crime, doesn't it?)

You've been Steeved!

[Animats]

Other problem with iTunes, "All sales are final." .... From Terms and conditions, security section: "You are entirely responsible for all activities that occur on or through your Account, and you agree to immediately notify Apple of any unauthorized use of your Account or any other breach of security. Apple shall not be responsible for any losses arising out of the unauthorized use of your Account. "

That's so Steve Jobs.

Re:Hrm

[shutdown -p now]

I fail to see what relevance Apple (much less Steve Jobs personally) has here. This is about hacked user accounts. This kind of thing is an unfortunate fact of life, keeping in mind that social engineering attacks take up the majority in security breaches. There's only so much Apple can do to mitigate this, and I don't see that they missed anything.

Heck, if anything, Apple's "walled garden" model - for all my dislike of it - is most efficient at dealing with these kinds of abuses. When malware authors have to go to the effort of hacking user accounts to get their crap shoved at users, you know they're tight against the wall already. In comparison, with Android, you just call yourself "Googe" (note spelling) and upload your malware directly [androlib.com].

(How do I know it's malware? I haven't installed it, of course - but when all their apps, including a non-multiplayer five-in-a-row game, request "full network connectivity" and "location information" permissions on install, you know something's fishy; the fake company name is just icing on the cake.)

The irony is that I can't even use Market feature to report it as malware, or at least write a 1-star review with a warning, because you can only write reviews/complaints once you install the app...

Occam's Razor

[webdog314]

After reading the article, the other linked article, and the comments posted on the linked site, I have to ask what's more likely here: that approximately 30 people out of 100+ millions of iTunes users have infected systems with key-loggers and were phished, or that the App Store has some huge security problem?

Just saying.