WingNews logo WingNews GitHub [2]
top | item 2633847

Ask HN: Can't iTunes Match be used to actually "pirate" content?

3 points| ufuk | 14 years ago

Since iTunes Match will be sending to Apple server the fingerprints of the songs on one's computer, could one not, theoretically, fake iTunes into believing that an audio file with a given fingerprint actually exists on your computer?

This attack vector was used by Dropship to transfer files across Dropbox accounts (Ref: http://razorfast.com/2011/04/25/dropbox-attempts-to-kill-open-source-project/), but the implications were minor since, from a security perspective, the attack was on a fellow user. Here the attack is on the iTunes system as a whole, and enables you to download songs that you have not purchased and have not ripped or downloaded.

I can already imagine networks popping up where people share their audio fingerprints.

3 comments

order
[+] mikecane|14 years ago|reply
Most likely so. But that $25 or so per year is most likely not going to Apple but being split by the record labels. Others have pointed out this is kind of a piracy amnesty. The average person just isn't going to go nuts pirating music to get some sort of deal. Those aren't the kind of people buying iDevices. Besides which, don't people have to upload the music for the scan? Broadband uploads speeds are crap, again whittling away whatever incentive people might have to load up on stolen music.
[+] ufuk|14 years ago|reply
I realized that the $25 per year was a form of piracy amnesty the moment I heard about it. The way I see it, people pay $25 per year to get an all-you-can-eat music service, since they can always legitimize content they keep on downloading from illegitimate sources.

My question, however, is whether it is even necessary to download any illegitimate content. Nobody needs to upload any music to any servers (iTunes Match claims not to), all they need to do is to trick iTunes to make it look like "Song X.mp3" is actually on their hard-drive. In order to do that all people need to find out is what data iTunes sends to mothership about a particular song. A similar feat was achieved by Dropship.