iTunes Stored Credit Card Vulnerability

by Brendan Griffiths

A little background: About three weeks ago, my laptop was stolen.

A day after the computer went missing, I started to get bills from iTunes for songs I hadn't purchased.  Whoever had possession of the laptop was purchasing songs through the iTunes store, because I had enabled the one-click download feature.

I immediately contacted iTunes support (which is only available by email and took more than 48 hours to respond).  They suggested I cancel the credit card linked to my account and change my password, both of which I did immediately.

Assuming that, with the password changed, the thief would no longer be able to continue purchasing songs, I added my new credit card number to my account.  Immediately, I was billed for a backlog of songs that had been purchased while my previous card was inactive.  Again, the answer from iTunes support was that these purchases must have been made before I changed my password, and that my account was now secure, but that I should have my credit card reissued again, just to be safe.

For a couple of weeks, everything seemed fine.

I was able to add my new cred it card to the account, and no additional fraudulent purchases were made.  Then, over the past few days, new bills started to come in from the iTunes store, again for songs I never purchased.  After calling Apple's customer support line several times, I was able to reach someone in the iTunes store who told me that there was no way that someone with a stored password would be able to make purchases once the password had been changed on my end.

Not believing them, I decided to test it myself, using a second computer.

So here is the big security hole: once you are logged in to the iTunes store, and have the one-click purchase option turned on, there is absolutely no way to stop downloads from bring charged to your account.  Even Apple seems unable to stop them.

Here's how to test this: Log yourself into iTunes on two separate computers.

Download a song or two on both, and make sure that you have the one-click or click-to-buy option turned on.  Now, on one of the computers, go to the account settings page and change your password.

On the other computer, try downloading a song.  You will see that it downloads without a problem, even though the password has been changed.  You can even try quitting iTunes, restarting, etc.

You will always be able to download songs from the second computer, even without entering the new password.

Clearly, this is a major security issue that, for whatever reason, Apple is completely unwilling to recognize or fix.

Thankfully, my credit card company reversed all the charges from iTunes, so this ordeal hasn't cost me anything financially.  However, it has been an incredible hassle and waste of my time.