Rigged podcasts can leak your iTunes username/password

Rigged podcasts can leak your iTunes username/password

Summary: Hackers can create malicious podcasts to hijack usernames and passwords from Apple's iTunes software.According to a warning from Apple, a "design issue" in the iTunes podcast feature can be abused via rigged audio files to cause an authentication dialog to be presented to the user.

SHARE:
27

Hackers can create malicious podcasts to hijack usernames and passwords from Apple's iTunes software.

According to a warning from Apple, a "design issue" in the iTunes podcast feature can be abused via rigged audio files to cause an authentication dialog to be presented to the user.  From that dialog, a hacker can hijack iTunes credentials and upload it to the podcast server.

[ SEE: Apple plugs gaping iTunes hole, doesn't tell everyone ]

From Apple's advisory:

  • A design issue exists in the iTunes podcast feature. A subscription to a malicious podcast may cause an authentication dialog to be presented to the user. This dialog may entice the user to send iTunes credentials to the podcast server.

Apple has shipped a patch in iTunes 8.1 to clarify the origin of the authentication request in the dialog box.

The iTunes update also corrects a denial-of-service flaw that can be caused via maliciously crafted DAAP messages.

  • An infinite loop exists in the handling of iTunes Digital Audio Access Protocol (DAAP) messages. Sending a message containing a maliciously crafted Content-Length parameter in the DAAP header may lead to a denial of service. This update addresses the issue by performing additional validation of DAAP messages.

The denial -of-service bug does not affect Mac OS X systems.

Topics: Browser, Apple, Hardware, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

27 comments
Log in or register to join the discussion
  • Then I guess...

    ...it's a good thing I don't use the iTunes Music Store. Imagine Limewire and Vuze actually protecting your ID!
    vikingnyc@...
  • what about iTunes on the iPhone?

    iTunes on iphone is constantly asking me to validate my login
    credentials (even when just running in the background!) despite
    the fact that the iTunes app is already logged in! (as is indicated
    in the textfield that displays the user status).

    however this seems to me more typical of the regular bugginess of
    the iPhone in general rather than a special case of iTunes security
    flaw.

    any thoughts?
    davidf01
  • actually, it's fixed

    But you keep up your practice of reporting fixes as if they're problems, Ryan.

    What a dishonest act.

    Narr Vi.
    Narr vi
    • QFT

      .
      bishofthedump
    • For telling us what was fixed? Apple sure didn't. Who's dishonest here?NT

      NT
      invmgr@...
      • Pardon me, yes Apple did. NT

        NT
        invmgr@...
  • RE: Rigged podcasts can leak your iTunes username/password

    Sounds like a problem to me! I have to wonder how many users have been affected by this. And I can see where we are going to see other issues come out of this.
    Daedalu
  • RE: Rigged podcasts can leak your iTunes username/password

    IT IS a problem if you don't update your iTunes. Thanks for making us aware of this, so we can take measures to protect ourselves! I typically do not update for a month or so after each update comes out. This is because there are usually issues with each update and I have had to uninstall & reinstall original iTunes because of past iTunes updates that would not work properly.
    bblaho
    • Hmm...

      [i]I typically do not update for a month or so after each update comes out. This is because there are usually issues with each update and I have had to uninstall & reinstall original iTunes because of past iTunes updates that would not work properly[/i]

      Wow, I thought Apple software was flawless.
      Updating to new versions has given you issues? I'm surprised...

      But I guess minor headaches like that are a small price to pay for amazing Apple software.
      tikigawd
      • amazing?

        what amazing software? itunes is absolutely horrible running background tasks non-stop even if u never use it...it's heavier than alot of anti-virus software and is absolutely full of bugs...and i'm using the latest version...apple fails
        pillbox1234567
        • I think he was being sarcastic (NT)

          #
          Yax_to_the_Max
          • But Pillbox wasn't... NT

            NT
            invmgr@...
          • YAY FACETIOUS! <NT>

            [b]
            nix_hed
    • Im still running an older version. thanks for the update.

      about the other posters who wondered even why Ryan posted this story?....

      Your protectionism is absurd.

      QFT LOLO
      pcguy777
  • Impossible! Apple products are bulletproof and utterly secure!

    /sarcasm
    HypnoToad
    • extreme sarcasm more like

      apple products are anything but perfect...in fact they arent even close...my church has 2 brand new failed macs and another older one that also failed...and i've had tons of issues with new mac computers all OS or software related
      pillbox1234567
    • So was the Titanic.

      Also can you invest with Bernie Madoff...
      phatkat
  • Terminology

    I find it funny that Microsoft reports "critical vulnerabilities" while Apple reports "design issues."
    Mewshew
  • RE: terminology

    Brilliant
    onedavester@...
  • Pure FUD

    Look, first of all, this only happens in Windows. (No big
    surprise there.)

    Secondly, if you were hacked, just deny the charges.
    Might be a hassle, but has anyone actually been hacked?
    Seriously? Who?

    This is just the scared, windows fan-clowns taking a bug
    fix and trying to make it into much, much more than it is.
    Trying to make it look like there are security problems
    outside of Windows, when in fact, they are like 99.99%
    Windows problems (or pure user stupidity such as
    choosing WIndows as your OS) to begin with.

    When are you fan-clowns going to wake up and switch to
    Linux (Have fun with that! :-) or Mac?

    Sad, really.


    comp_indiana