Thursday, August 2, 2007
iTunes security problem
I stumbled across this while waiting for a flight in a Northwest Airlines lounge. I admit I was bored and starting poking around in people's shared iTunes libraries...
There's a privacy issue with iTunes that can be exploited with some simple social engineering that could be a real problem for folks with music sharing turned on.
When you share your music in iTunes, anyone can see your library and browse it. Nothing of real importance here, but if they attempt to play any songs that you have purchased from iTunes, their machine will be prompted to validate the DRM of the song they are trying to listen to. This shouldn't be a problem BUT iTunes fills in the account name tied to the DRM. This is your account name in the form of your email address - not good. Not good at all.
Aside from the privacy issues with iTunes divulging your email address, a thief can now spoof an email to the user, say from Apple, asking them to validate their music downloads or participate in a free offer from Apple. Since you can reference their valid apple account ID along with an actual list of songs purchased from the iTunes store WITH the date of purchase, who would think that the email isn't from Apple? After all, they know all sorts of things about you in the email.
With Apple's tight tie in to your credit card information, etc. someone could do some serious damage with this exploit for sure.
As you can imagine, I have my music sharing turned off. You should too.
Hey Steve, get the iTunes guys to fix this!