Does iTunes (and iCloud) have a systemic security problem? [updated]

John Gruber doesn’t think so, but my experience and the experiences of countless others seems to show otherwise.

Back in late-January of this year, I received a curious email from Apple, indicating that my credit card information and billing address listed in my iTunes Store account had ben recently changed. Now, I never keep credit cards on file with retailers, nor do I have the iTMS linked to PayPal. I strictly adhere to a policy of making music, app and video purchases using only gift card balance, mainly out of concern that credit card account information stored anywhere outside my wallet or my noggin is inherently vulnerable, so I avoid it, when possible.

I logged into my iTunes account and found that, while my street address remained the same, my house had been magically transported to Townson, MD 21286-7840. Furthermore, my account balance, which had been about $34 the evening before, now hovered around 12¢. Apparently, after teleporting to Townson, I went on a spending spree, buying Fruit Ninja, Fruit Ninja HD, Angry Birds Seasons, Angry Birds Seasons HD, Plants vs Zombies, Plants vs Zombies HD, and so on, including a mystery lifestyle app titled “27000+ 天下美食.”

List of Fraudulent Purchases on the iTunes StoreImmediately, I dashed off a support request to Apple stating that: I did not change my address or billing information, I did not buy the apps listed in the most recent invoice and that I expected a refund of my balance.

Apple’s initial response stated that it must have been my fault:

  • either one of my family members made the changes and purchases, or
  • I exposed myself to fraud by following a phishing link,
  • by using an easily penetrated email service, or
  • by using an insecure password.

There’s only some tiny flaws in those arguments:

  • my wife has her own account and did not move to Townson in the middle of the night (and the two-year-old doesn’t have a credit card);
  • I never, ever follow links in emails, ever… and generally manually type URLs (I’m old-school);
  • I run a self-hosted mailserver (I’m glancing over at it, as I type this), on which I have multiple accounts (and loads of aliases), but I’m the only real user and
  • my iTunes password was a randomly-generated alphanumeric string (and really fun to type on an iPhone; now it’s an even-longer random string, and the email address is unique to iTunes, as well).

Worse, a quick search turned up a consistent pattern, starting in November 2010, of iTunes accounts being subject to unauthorized access in which the perpetrators change the billing City, State and ZIP to read “Towson, Maryland 21286-7840.” They then use any existing balances on the iTunes accounts to buy apps and music, until the balance is less than 99¢ — they do not spend more than the balance, to ensure that a credit card is not needed/charged. The name on the account, the email address and the street address remain unchanged. The majority of the victims who have posted details of this unauthorized access claim to have never received any phishing attempts for access to the iTunes store. (Examples of fraudulent access to iTunes accounts, on Apple’s discussion boards and MacRumors’ forums.)

Apple’s “iTunes Store Advisor” happily ignored any mention of those facts, replying with a link to Apple’s guide to suggested security practices. To their credit, they restored my account balance within less than 24 hours, though immediately afterward, they disabled my account, on suspicion of “fraudulent access.” (Go figure.) That, in and of itself caused three days of pain, as the AppleID associated with the account dated back to the heady days of iTools, and, so, lacked the @mac or @me that the system expected after the rollout of the free edition of ‘Find my iPhone.’ (My connections with Apple are many and go waaay back to 1987.) My old password would have required around 6,300 machine hours to crack; my new password would need 14 billion machine hours.

I was hoping that, despite the outward appearance of having ignored my account security concerns, Cupertino was hard at work on fixing the issue and tracking down the twerps in Townson, MD. Apparently, not.

Microsoft Principal Program Manager Scott Hanselman’s iTunes account was recently compromised and used to make $40 in fraudulent app purchases. Tech writer, MG Siegler believes that Hanselman’s login and password were compromised, Gruber agrees. I don’t. For the better part of a year, the evidence indicates that there is a systematic vulnerability in the iTunes store. Apple is undoubtedly aware of it, despite blatantly ignoring the hundreds, if not thousands, of users who have experienced the same violation.

Correction: Originally, I had mis-attributed the opinion that there was an inherent vulnerability to MG Siegler. He, in fact, argues (quite logically) that the simplest explanation is that Hanselman’s login and password information were known to the perpetrators. I regret the error.