In case you've not heard, some developers have uploaded some software (mainly books and travel apps) that secure that users details and makes purchases, a lot of purchases.
The store wasn't directly compromised. Consider the free books a trojan horse in the truest sense. You get the book, it gathers your info, reports it out - that's dumbed WAY down, but you get the gist.
Apparently there's a local store of your password, et al that's being exploited. But... could something like that happen in the Ovi Store?
Ovi store unlike iTunes works through MicroB which encrypts the saved passwords (EDIT: maybe just better). However, a keylogger can help in this case...
Isn't it more likely that they use some social engineering trick to harvest the passwords?
I don't think they even store iTunes password on iOS, because you're asked for the password every time you make a purchase. Well it'll 'cache' it for 5-10 minutes for convenience, but past that period then it'll reask you for the password to be resubmitted over the net for reauthentication.
Keylogger is also unlikely due to iOS' sandboxing lockdown.
Well, maybe its possible the actual tools are logging in automatically from the victim's iPhone? Then again if it spread so fast maybe it was published somewhere (maybe just not in our part of the internet ).
That's the thing, unless there's a huge gaping exploitable hole in the iOS, then these apps must've performed some sort of social engineering tricks to gain the users' iTunes Store passwords.
It's definitely a chink in Apple's armor, just wondering which part:
- iTunes Store itself (least likely)
- iOS sandbox (if this is the case, I'm surprised that the damage is limited to 1-2 perpetrator so far... and why there isn't an update yet to address it).
- iTunes Store' approval system (Maybe the guy hid the social engineering routing somehow ... and this sort of thing is nothing new for Apple )
).
)