A bug in the iTunes service allows exposure of private data to third parties

In the course of a recent research it was found that a bug in the Apple iTunes service allows third parties to access private information about users such as what music, videos and apps they have purchased from the store.

The flaw was tested by Andrew McAfee who posted his findings that explain how he can exploit design weaknesses in a feature of the online store that allows one customer to send gifts to another iTunes customer. He creates a list of songs, videos or applications and types the email address of the recipient. The system immediately gives you the information whether the person already has acquired the title from Apple.

“This is done with good intentions – to keep users from gifting music that the recipient already has – but the implementation of this feature opens up privacy concerns: if the check reveals duplicates, iTunes tells the gifter about one of them,” McAfee writes. “The application presents this information to [the snoop] in red ink, before he has to sign in to his account, present credit card information, or take any other steps.”

What's more, the disclosure happens without notifying or getting permission from the recipient. All that's required is the email address the person uses with her iTunes account. People who exploit the weakness to spy on others need not sign into an account, provide a credit card number or take other steps, McAfee says.