0x0Lab Blog Just another damn blog

24Feb/11Off

Apple Ping Privacy Concerns

After the launch of the new iTunes and the brand new music social network, I decided while trying it, to check out the privacy settings, and what kind of HTTP requests are send.

After clicking the turn on ping button, I was guided through creating a profile. Obviously I didn't want to use my real name, so I used something else in the first name and last name input boxes, only to find out that a change in the Ping profile name changes the billing name for iTunes (should have read the grey letters under the input boxes, that clearly stated: "The name you enter is also the name associated with your account's billing information").

In sort if you want to be able to buy things from iTunes, you need to use your proper name in the Ping profile.
Once I created my profile I checked out the privacy settings, which seemed simple enough, providing an on, on but approve and off choice.
Going for the off ("Don't allow people to follow me") seemed the obvious choice, thinking that my name will be protected (unless I post any reviews, comments in which my full name would appear).
Later on while inspecting the HTTP requests send by iTunes I saw requests to the following URL:

http://c.itunes.apple.com/us/profile/idXXXXXXXXXX

The request return my profile page, and did contain a cookie. Interested I fired up Burp and repeated the request, removing the cookie, only to find out that the resulting page once again contained my name.
Switching the privacy setting to allow people to follow me (even if "require my approval to follow me" is checked), would also display the "Where I Live" field.
The whole process can be very easily automated in order to harvest ID's, Names and Locations.

Posted by cirrus

Comments (0) Trackbacks (0)

Sorry, the comment form is closed at this time.

No trackbacks yet.