Minor Privacy Flaw in iTunes API (Disclosed)

by @edent | # # | 1 comment | Read ~1,062 times.

A (very minor) privacy issue I found with the iTunes API - disclosed on 7th April.

Apple provide an API to allow users to search the iTunes store.

Let's suppose that a user wishes to search for Music Videos from The Beatles. The search itself is performed over HTTPS.

https://itunes.apple.com/search?entity=musicVideo&term=beatles

This means that anyone sniffing the connection won't see what the user searched for - nor will they see the response from Apple.

The only fly in the ointment is that some of the resources returned in the results are not served over HTTPS.

For example, here's the response from the Beatles search:

{ "resultCount" : 31,
  "results" : [ { "artistId" : 136975,
        "artistName" : "The Beatles",
        "artistViewUrl" : "https://itunes.apple.com/us/artist/the-beatles/id136975?uo=4",
        "artworkUrl100" : "http://a2.mzstatic.com/us/r30/Video/16/d8/ba/mzi.otkgeuyk.100x100-75.jpg",
        "artworkUrl30" : "http://a4.mzstatic.com/us/r30/Video/16/d8/ba/mzi.otkgeuyk.40x30-75.jpg",
        "artworkUrl60" : "http://a5.mzstatic.com/us/r30/Video/16/d8/ba/mzi.otkgeuyk.80x60-75.jpg",
        "collectionCensoredName" : "Abbey Road",
        "collectionExplicitness" : "notExplicit",
        "collectionId" : 401186200,
        "collectionName" : "Abbey Road",
        "collectionPrice" : 12.99,
        "collectionViewUrl" : "https://itunes.apple.com/us/music-video/abbey-road-documentary/id401187199?uo=4",
        "country" : "USA",
        "currency" : "USD",
        "discCount" : 1,
        "discNumber" : 1,
        "kind" : "music-video",
        "previewUrl" : "http://a157.v.phobos.apple.com/us/r1000/060/Video/72/fe/52/mzm.bxhrrlns..640x480.h264lc.u.p.m4v",
        "primaryGenreName" : "Rock",
        "radioStationUrl" : "https://itunes.apple.com/us/station/idra.401187199",
        "releaseDate" : "2010-11-16T08:00:00Z",
        "trackCensoredName" : "Abbey Road (Documentary)",
        "trackCount" : 19,
        "trackExplicitness" : "notExplicit",
        "trackId" : 401187199,
        "trackName" : "Abbey Road (Documentary)",
        "trackNumber" : 18,
        "trackPrice" : -1.0,
        "trackTimeMillis" : 232000,
        "trackViewUrl" : "https://itunes.apple.com/us/music-video/abbey-road-documentary/id401187199?uo=4",
        "wrapperType" : "track"
      },

As you can see, the following are served over an unencrypted connection.

"artworkUrl100" : "http://a2.mzstatic.com/us/r30/Video/16/d8/ba/mzi.otkgeuyk.100x100-75.jpg",
"artworkUrl30"  : "http://a4.mzstatic.com/us/r30/Video/16/d8/ba/mzi.otkgeuyk.40x30-75.jpg",
"artworkUrl60"  : "http://a5.mzstatic.com/us/r30/Video/16/d8/ba/mzi.otkgeuyk.80x60-75.jpg",
"previewUrl"    : "http://a157.v.phobos.apple.com/us/r1000/060/Video/72/fe/52/mzm.bxhrrlns..640x480.h264lc.u.p.m4v",

If the client automatically grabs the images - which most will in order to make the user interface look attractive - any malicious actor sniffing the traffic will be able to see these requests.

It's pretty easy to look at the returned image Beatles Abbey Road and make a reasonable guess as to the search term submitted.

Impact

Ok, searching for music and videos may not be overly sensitive - unless your parents ban Rock 'n' Roll music.

But searching for other material such as eBooks could be problematic:

Satanic Verses
It doesn't take a mastermind to work out what the user searched for to produce this result.

Searching for healthcare related information could reveal personal medical details:

If, all of a sudden, the network sniffer sees these images being transferred, it's pretty easy to work out what's being searched for.
Make the Yuletide Gay
Another Gay Sequel
Gay Movie

Impact And Mitigating

Hey, it's only metadata. The "bad guys" can't see what you searched for, only that it returned a list of books about suicide support, alcohol addiction, and divorce law.

Anyone between you and Apple can see the cover art of everything you search for. Your ISP, the coffee-shop owner, an abusive spouse, a spy.

As I said at the start - this is a very minor privacy hole. You may not believe that your reading habits should be private, but many people do.

I've spoken to Apple repeatedly since the beginning of April, but they don't seem eager to fix it.

Apple can easily mitigate this problem by serving all resources securely.

One thought on “Minor Privacy Flaw in iTunes API (Disclosed)

  1. Tom Morris says:

    If someone is watching 'Another Gay Sequel', the primary inference one can reasonable make is poor taste.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.