Or, How Apple Inc stole money from me to increase their bottom line.
Today at around 3pm, I got an unsolicited email from Apple inc, welcoming me to iTunes. A membership had been created for an email address on my domain. I immediately started trying to think of what security vulnerability I had that allowed someone to create a membership with one of my email addresses. I felt compelled to get to the bottom of the problem without delay. How did one of my emails get compromised?
As it turns out, you can create an account with Apple for any email address without confirmation. I can create an account with your email address, regardless of whether you already have an account with that address. I can then sign you up for newsletters and who knows what else without needing access to your email account to confirm registration.
This is the text of the message that I received:
iTunes Store Welcome Dear bean,
Welcome to the iTunes Store, the best place to preview, buy, and download music. You can also browse our wide selection of films, TV programmes, audiobooks, podcasts and more. Keep this email in a safe place for future reference. It includes important information about your account.
Here's all you need to get started
(iTunes Logo)
Your iTunes Store Account has been set up, with the following Apple ID: sam.toms@skyl.org
( Use the password you created when you set up your account online )
To launch iTunes and visit the iTunes Store right now, click here.
Your account is set up and enables you to purchase and download immediately. You can enjoy your purchases on up to five computers, make unlimited playlists, burn CDs, and transfer music and more to your iPod. iTunes Plus purchases – songs and music videos available in our highest-quality, 256 kbps AAC format and without digital rights management (DRM) – can be played on an unlimited number of computers and compatible digital music players. Use your new Apple ID for all kinds of Apple purchases – from the newest hardware in the Apple Store online to photo books and prints through iPhoto.
For a video tutorial on how to use the iTunes Store, click here.
If you would like to find out more about the iPod digital music player, visit http://www.apple.com/uk/ipod/ to learn how you can take up to 40,000 songs you buy and download with you wherever you go.
For help using the Store, choose Help > iTunes Help in iTunes. If you have questions about your purchases, click on the grey Sign In box in the upper right-hand corner of the iTunes Store and enter your name and password. Once you have logged in, click Account under Quick Links, then click Purchase History.
If you have forgotten your password or need additional customer service, please visit http://www.apple.com/uk/support/itunes/store/
Thanks for setting up your account!
Sincerely,
The iTunes Store Team iTunes Store
As you can see, there are 4 links, 3 of which are purely crass, commercial advertisement for ways that I can spend money with Apple, the last, http://www.apple.com/uk/support/itunes/ has great resources like video tutorials on how to Get started with iTunes. The support links are, astoundingly, UNDISCOVERABLE WITH JAVASCRIPT TURNED OFF. Finally, if you do have the right browser with the correct settings, you may be able to pick through the various toggle-able information to finally get to http://www.apple.com/uk/support/itunes/contact.html?form=account&topic=iTunes%20Store%20Account%20and%20Billing&subtopic=Edit%20Account%20Information . You probably won't be able to find this link without losing your mind though. To know where to go, the best way may be to give them a call at whatever number you can find, wait the 15 minutes and then describe your problem to them so that they can help you find this form.
Beware, to successfully post this form, you will have to swallow your pride and declare that you are using either a variant of Windows or MacOS or the form will not validate. I think it must be a real (if unofficial) policy at Apple to never mention the existence of any operating systems other than Windows and MacOS. If you are not using iTunes as I am not, you will also have to lie and say that you are using some specific version of iTunes.
I'm still not sure how to get that particular email that I was originally sent. I did however find another place where I can sign you up for Apple newsletters without your consent, the ominously named http://myinfo.apple.com/. When I sign you up against your will here, you will get a message that reads something like:
Thank you for setting up your Apple ID : skylar.saveland
Your personal information is now stored in our system, so you won't have to enter it every time you make a purchase at the online Apple Store or register a new Apple product. Your new Apple ID also gives you access to the AppleCare Knowledge Base.
Learn more about your new Apple ID by visiting:
https://myinfo.apple.com/html/en_UK/faq.html
If you ever need to change the information you gave us, just visit the My Info website and sign in with your Apple ID and password:
http://www.apple.com/contact/myinfo
Rest assured that your information is safe and secure with us. We'll use it only when you visit an Apple website. We will not share it with any other organization or use it for any other purpose. To learn how Apple collects, uses, and safeguards the personal information you provide, visit:
http://www.apple.com/uk/legal/privacy/
Thank you again for signing up for your Apple ID.
Am I alone in thinking that this is outrageous? I have to waste my time picking through Apple's website because Apple doesn't have the wherewithal or decency to handle their emails properly? Any junior web developer operating alone and for free should know better. There must be a reason that Apple operates like this.
If users have to go to their email to confirm their registration, perhaps some percentage of users will be deterred from continuing in the process and will give up. Presumably, this results in Apple losing money.
Apple chooses to waste a certain number of people's time and to waste power, bandwidth, and other resources (some of which are their's to waste, some not) to facilitate customers getting registered more quickly, even if fraudulently. The numbers look the same in a data table and sound the same in a meeting, "We got N new signups this quarter!" woohoo.
I even received an invoice in my inbox for this fraudulent account. Are you really going to let your webapp send invoices to unconfirmed emails? Really? And not provide a one-click "not me" on the welcome email? Really? Would you suggest that I should just mark the emails SPAM, put a filter on my inbox, and go about my day? Well, that's what these web development practices seem to be, yes? spam. The basic tenet of spam is to waste other people's time and resources pursuing your own profits.
http://www.apple.com/uk/support/itunes/
There is a picture of a phone and an envelope on the support page, http://www.apple.com/support/itunes/images/helpicons_xe.gif but, the only phone numbers that you can actually see when the page loads are:
Shop the Apple Online Store, call 0844 209 0611*, visit an Apple Retail Store or find a retailer. * £0.05p per minute when dialled from a landline within the UK. Call charges may vary when calling from a mobile phone.
You can also, super-easily, browse Related Products.
A static image with no functionality. A support page that can not be viewed without javascript. The hubris to have as the only number on the support page a pay-per-minute call to the store.
I've been pretty neutral on Apple forever. I like Linux. I like open-source. Apple stuff can be pretty nifty.
I've been hearing rumblings of Apple being litigious lately. And I've long felt that their closed-marketplace, top-down business model is no place where I want to live. But, I was just hoping that we could peacably coexist without Apple being a detriment to my afternoon, disturbing my profits in pursuit of theirs.
Oh brother, and then they miss the point completely:
Dear Skylar, Welcome to iTunes Store Customer Support. I'm sorry to hear that someone has access your iTunes Store account.
I don't have an iTunes Store Account! What in the world?
Seems like you are a bit down on Apple, I agree that one closed ecco system(win)is not much better than the other.
or ratifying the Strategic <i><b><a href="http://www.cartier-rings.org/wholesale/couple-rings-40-b0.html">Couple Rings</a></b></i> Strategic Arms Reduction Treaty, the top two <h1><a href="http://www.tagwatch.org/categories/rolex-submariner-34-b0.html">imitation rolex submariner</a></1h> two items on the agenda."Today we had <a href="http://www.tagwatch.org/categories/breitling-crosswind-44-b0.html">breitling windrider crosswind</a> had the beginning
an apparent seizure in [url=http://www.tagwatch.org/categories/rolex-milgauss-41-b0.html]rolex milgauss replica watches[/url] in the courtroom Tuesday and was rushed [url=http://www.tagwatch.org/categories/rolex-milgauss-41-b0.html]replica rolex milgauss watch[/url] rushed to a hospital.The judge adjourned the chopard watch replica the case for
e <h1><a href=http://www.tagwatch.org/categories/rolex-milgauss-41-b0.html>rolex milgauss fake</a></1h> believe there is a larger grou
