Feeds

iTunes privacy hole shares library content with world+dog

Beware of SpyTunes

Build a business case: developing custom apps

A technology researcher has unearthed a privacy hole in Apple's iTunes Store that makes it easy for unauthorized people to learn what music, videos and apps you've acquired from the online bazaar.

The technique, which is described in a recent post by Andrew McAfee, exploits design weaknesses in a feature of the online store that allows one customer to send gifts to another iTunes customer. By creating a list of songs, videos or apps and telling iTunes the email address of the intended recipient, you can find out whether the person already has acquired the title from Apple.

“This is done with good intentions – to keep users from gifting music that the recipient already has – but the implementation of this feature opens up privacy concerns: if the check reveals duplicates,  iTunes tells the gifter about one of them,” McAfee writes. “The application presents this information to [the snoop] in red ink, before he has to sign in to his account, present credit card information, or take any other steps.”

What's more, the disclosure happens without notifying or getting permission from the recipient. All that's required is the email address the person uses with her iTunes account. People who exploit the weakness to spy on others need not sign into an account, provide a credit card number or take other steps, McAfee says.

No doubt, music purchases aren't the most sensitive of lists. Plenty of people are more than happy to share their music tastes with anyone who will listen. But as McAfee points out, the Video Privacy Protection Act imposes federal penalties on any person engaged in the business of renting, selling or delivering a “video tape” who publishes information about a customer's viewing habits.

And as Netflix has learned the hard way, publishing even innocuous-seeming details about what movies customers watch can have serious and unintended consequences.

Apple's response when users are given titles they've already acquired as gifts is in stark contrast to the way Amazon handles Amazon Kindle gifts that the recipient already owns. According to McAfee, Amazon lets the purchase go through, but instead of sending the receiver a title she already owns, gives her credit for the title instead.

“To put it mildly, this seems like a better approach to me,” McAfee says. ®

Next gen security for virtualised datacentres

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Linux kernel devs made to finger their dongles before contributing code
Two-factor auth enabled for Kernel.org repositories
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Scale data protection with your virtual environment
To scale at the rate of virtualization growth, data protection solutions need to adopt new capabilities and simplify current features.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?