The vulnerability of 225 million iTunes credit card accounts has been grossly exaggerated
The headlines over the July 4th weekend were pretty scary.
- Wall Street Journal: “Computer-Hacking Group Targets Apple In Latest Attack”
- Financial Times: “Hackers Claim Attack on Apple Server”
- Gizmodo: “Apple Is Latest Company To Feel the Might of AntiSec’s Hacking Power”
Coming less than a month after Steve Jobs unveiled Apple’s (AAPL) iCloud project, the reports had a predictably unsettling effect.
“WOW,” wrote The Ravenette on the Huffington Post‘s comment stream. “I guess we cant trust the Apple Cloud to securely contain all of our most important data. … Hey if you all give me your credit card numbers and pin numbers I will keep them safe by painting them on a wall in Time Square.”
In fact, the security of Apple’s iTunes database is the envy of many an organization (e.g. Sony, the CIA, the U.S. Senate and the Arizona Department of Public Safety) that has felt the sting of Anonymous, Lulz Security and AntiSec (the splinter group that claimed responsibility for Sunday’s prank). In eight years of operation, there has yet to be a credible claim of data hacking into iTunes or the Apple Store.
What happened over the weekend was certainly not that, as the Twitter message that announced it made clear:
“Not being so serious, but well,” the message posted by @AnonymousIRC read. “Apple could be target, too. But don’t worry, we are busy elsewhere.”
The Tweet pointed readers to a page on PasteBin where the fruits of such exploits are often posted. It contains what appears to be a list 27 user names and encrypted passwords from an SQL database for an online survey — since taken offline — at the Apple Business Intelligence website.
Unless adequately protected, SQL databases are famously vulnerable to SQL injection attacks — one of the top 10 known vulnerabilities of Web applications, according to the Open Web Application Security Project. Presumably, Apple knows better than to leave the databases holding those 225 million iTunes one-click credit card open to SQL injections.
Below: The file that got posted on PasteBin.
SITE: http://abs.apple.com:8080/ssurvey/survey?id=
db: mysql table: users
[27 entries]
+—————+
| User |
+—————+
| admin |
| backup |
| bnewcomb |
| bulkmail |
| leung |
| masuo |
| myapp |
| process_super |
| rlinton |
| sharp |
| survey |
| web_csat |
| spbidb05 |
| status_check |
| survey_slave |
| NULL |
| root |
| NULL |
| admin |
| backup |
| backup_user |
| bnewcomb |
| bulkmail |
| masuo |
| myapp |
| root |
| survey |
+—————+
+——————————————-+
| Password |
+——————————————-+
| *7AB8AAB1CB14C7997CE400CEA87B443A15FE72E6 |
| NULL |
| NULL |
| NULL |
| *5DDF97914AE903CD933CFA428E6582A214E66339 |
| *5DDF97914AE903CD933CFA428E6582A214E66339 |
| *2447D497B9A6A15F2776055CB2D1E9F86758182F |
| *2447D497B9A6A15F2776055CB2D1E9F86758182F |
| *2447D497B9A6A15F2776055CB2D1E9F86758182F |
| *2447D497B9A6A15F2776055CB2D1E9F86758182F |
| *758A94318E1CCA45D996610F8A97E6BAA48C02FE |
| *758A94318E1CCA45D996610F8A97E6BAA48C02FE |
| 2bbe9f0c59e89c66 |
| *97757F6F08362A7CBA6F30E72EB90A73C79168EE |
| *5B3643923A375B56250D11532289B2675C69AE62 |
| *45930B494440B7335C3F98DB0FD14441166B57BB |
| *FF642075DCA52A257F8DB745546F1E643D0B07DA |
| *FF642075DCA52A257F8DB745546F1E643D0B07DA |
| *35D14C41D95FA9DC79DF22641B7F9F98ECFDA55B |
| *BAFD507E802E9B17D99E22A1360CECD386149822 |
| *7AB8AAB1CB14C7997CE400CEA87B443A15FE72E6 |
| *7AB8AAB1CB14C7997CE400CEA87B443A15FE72E6 |
| *5B202DF112417035DF7A62DDC250A9ADB0F22BDD |
| *8C69224DCDC9A8FB2122952DF5B57A4AB7FE456A |
| *AEEE48760B9DCE2800776CE1FF6915FE91D8C894 |
| *406E480B04BF741F3FB65E0C8976FC856BDBF418 |
| *3D845C052A1D31F3D8D3E864735E84DF3E07C9D0 |
+——————————————-+
