Sign in with
Sign up | Sign in

iTunes Gift Certificates Reverse Engineered

By - Source: Tom's Hardware US | B 39 comments

A Chinese website is selling iTunes gift cards that are worth up to $200 for as low as $3.

How is this possible? Chinese hackers managed to reverse engineer the algorithms responsible for creating iTunes voucher codes, creating fully legitimate codes that are redeemable via the iTunes store into a customer's account. The hackers have now made key generators to actually create the codes on the fly. Unfortunately for them, the codes only work in the U.S. iTunes store.

Which is why the codes are now being sold on Taobao, the largest auction site in China.

At this time, Apple hasn't made any public comments on the situation, most likely because its working on a solution to invalid the codes. Unfortunately, the codes are legitimate and are based on Apple's own algorithm for generating codes, so any attempt to alter the codes would potentially hurt all the existing cards in stores.

The cards are now starting to also appear on eBay, but for much more--around $40 for a $200 card.

What do you think of the situation? Do you feel that $0.99 is already a fair asking price for a single song and that the hackers are stepping way out of line?

Display 39 Comments.
This thread is closed for comments
Top Comments
  • 18 Hide
    dariushro , March 15, 2009 10:18 PM
    Apple is too stupid to base its vouchers on algorithms instead of database...incredibly stupid.
  • 16 Hide
    Humans think , March 16, 2009 12:03 AM
    dariushroApple is too stupid to base its vouchers on algorithms instead of database...incredibly stupid.


    You are so damn right :p  Every algorithm can be reverse engineered if you have a big enough sampe :p 
  • 12 Hide
    Tindytim , March 15, 2009 10:46 PM
    FlameoutUS$0.99 is still the same price for a song if i were to buy an actual cd containing an average of 10 songs, so yeah I get y they do this

    I bought "Revolutionary Vol.2" for $12, and it had 18 songs on it. That's less than $0.67 per song, not including the art that went into creating the case, and the fold out pages with lyrics. Not to mention the fact that the quality is much higher and that I can rip it into any format of my choice.

    $0.99 for some relatively low quality file seems like a huge rip to me.
Other Comments
  • -4 Hide
    Anonymous , March 15, 2009 9:11 PM
    These thieves are probably the same ones responsible for viruses and the like making many lives a misery.

    Why don't they use their skills to create something useful?
  • 3 Hide
    eddieroolz , March 15, 2009 9:19 PM
    Probably because this is "useful" to them...

    But seriously though, Chinese hackers can reverse engineer anything these days! It's only matter of time until they crack other, more serious things too...
  • -8 Hide
    Flameout , March 15, 2009 9:31 PM
    US$0.99 is still the same price for a song if i were to buy an actual cd containing an average of 10 songs, so yeah I get y they do this
  • 11 Hide
    resonance451 , March 15, 2009 9:34 PM
    I think iTunes songs should be available at a higher bit-rate and I think charging to upgrade to iTunes plus is irritating, but in spite of my complaints I can't be moved to support piracy, particularly when iTunes is a great alternative to purchasing in-store. While things need to change in the music industry, it's not justification for attempting to ruin the better part of the industry because you couldn't be bothered to pay for the goods and services you desire.
  • 5 Hide
    Anonymous , March 15, 2009 9:48 PM
    Anyone else remember the PWN2OWN contest where the MacBook Air was hacked in less than a minute!
    -> http://www.securityfocus.com/brief/711
  • 18 Hide
    dariushro , March 15, 2009 10:18 PM
    Apple is too stupid to base its vouchers on algorithms instead of database...incredibly stupid.
  • -4 Hide
    Anonymous , March 15, 2009 10:42 PM
    selling in china auction site does not mean it is from that country. Can someone confirm where it is actually from?
  • 12 Hide
    Tindytim , March 15, 2009 10:46 PM
    FlameoutUS$0.99 is still the same price for a song if i were to buy an actual cd containing an average of 10 songs, so yeah I get y they do this

    I bought "Revolutionary Vol.2" for $12, and it had 18 songs on it. That's less than $0.67 per song, not including the art that went into creating the case, and the fold out pages with lyrics. Not to mention the fact that the quality is much higher and that I can rip it into any format of my choice.

    $0.99 for some relatively low quality file seems like a huge rip to me.
  • 11 Hide
    thejerk , March 15, 2009 11:58 PM
    People are always going to find ways to circumvent a system. It seems that it's part of human nature. I don't support piracy, but I certainly don't feel too terrible that Apple's deep pockets are being picked. If anything, these hackers did Apple a favor, showing them fundamental flaws in the security of these algorithms. Why not consider the profits of the exploit payment of a "consulting fee," and move on, lol...

    Anyone else old enough to remember "them" telling us that CDs were going to eventually sell for $5 each because they'd be cheap to replicate, etc, etc? Well the record companies kept the prices up all these years to keep profits high. They got what they deserved when file sharing took off, and I think that Apple is seeing the business end of the whip, too.

    When you run a business, there's always a point where you must change or die. Basically, you adapt to the market, or you close up and fail. It's time for change... higher bitrates, lower prices... whatever. Change, or fail.
  • 16 Hide
    Humans think , March 16, 2009 12:03 AM
    dariushroApple is too stupid to base its vouchers on algorithms instead of database...incredibly stupid.


    You are so damn right :p  Every algorithm can be reverse engineered if you have a big enough sampe :p 
  • 5 Hide
    cruiseoveride , March 16, 2009 1:50 AM
    I wouldnt mind buying music, if a single song cost 10c.

    At 99c, I think i'll get my music "elsewhere".
  • 2 Hide
    T-Bone , March 16, 2009 1:59 AM
    But Apple...it just works?
    hehehehehe
  • 1 Hide
    v12v12 , March 16, 2009 2:36 AM
    Wtf all you talkin bout Willis?! Apple is infallible, come on, since when have they EVER admitted "wrong doing?" IE getting owned by Creative, and settling out of court for STEALING ideas, long already "innovated." Apple is all about extra helpings of dressing and making snobs feel even more elevated.

    Here I've googled it for you all: http://tinyurl.com/chtc8s

    Decent hardware, but their "image," is trite and haughty, just like many of their user base. Better or worse, Apple will always be alive and well b/c there's too many people that wanna pretend to be "better" or more "informed" than the rest of "us." Go APPLE! HAHAHA
  • 4 Hide
    v12v12 , March 16, 2009 2:40 AM
    thejerkPeople are always going to find ways to circumvent a system. It seems that it's part of human nature. I don't support piracy, but I certainly don't feel too terrible that Apple's deep pockets are being picked. If anything, these hackers did Apple a favor, showing them fundamental flaws in the security of these algorithms. Why not consider the profits of the exploit payment of a "consulting fee," and move on, lol...Anyone else old enough to remember "them" telling us that CDs were going to eventually sell for $5 each because they'd be cheap to replicate, etc, etc? Well the record companies kept the prices up all these years to keep profits high. They got what they deserved when file sharing took off, and I think that Apple is seeing the business end of the whip, too. When you run a business, there's always a point where you must change or die. Basically, you adapt to the market, or you close up and fail. It's time for change... higher bitrates, lower prices... whatever. Change, or fail.


    Nagh you forgot another option: Change, Fail... or CONTROL the "market!" Control it and thus you have no reason to "change," even if that's what the consumers demand/need/everyone would benefit from. The RIAA/MPAA are trying their best to maintain CONTROL Vs change. "Change," scares big business, and COSTS them "PROFIT." lol... They'll resist change as long as they can maintain control... same old news.
  • 5 Hide
    SAL-e , March 16, 2009 3:42 AM
    Side effect of the DMCA law. Cracking DRM or any encryption is illegal in USA, but the law never sopped criminals. Now, if only security researches ware allowed to do reverse engineering Apple could have early notice and replace the algorithm or the business model before it becomes a public problem. They support DMCA they deserve the penalty.
    Next would be the Credit Card banks. They are actively suppressing the independent security research on RFID credit cards. Before you know someone will put small device next to the door of the big store and copy everyone's card even if it is into their pocket. That is what happens when our politicians votes for laws that protect old dinosaurs.
  • 2 Hide
    Raid3r , March 16, 2009 3:47 AM
    Really who cares..I'll say it again....people will always find a way to get what they want. Oh well. Learn or die...business wise and security wise.
  • 0 Hide
    yang , March 16, 2009 6:14 AM
    The problem with this is not so much for people who will pirate songs but people can also use these $400 gift cards to buy real Ipod products. Too bad i live in canada, I would love to buy an ipod touch for 20 dollars lol
  • 1 Hide
    mdillenbeck , March 16, 2009 6:46 AM
    How could one not say the criminal act of theft is not crossing the line? They generated the code worth monetary value without surrendering any money - so if not theft, it is at least counterfeiting non-governmental legal tender.

    While I agree Apple shares some of the blame for using an algorithm alone (versus an algorithm for 'fast processing' followed by verification in a database), it does not make the criminal act any less so. If you walk into a convenience store and do not see an attendant, it does not mean you are free to grab whatever is close by and leave legally.

    As to the price per song, that's a bit more complicated. The lack of physical media and warehouse/distribution chains reduce costs, but maintaining servers and paying bandwidth probably eat much of that up. Thus, for individual DRM-free songs I think $0.99 is reasonable. If you buy a whole set of songs at the same time, it should cost no more than the marketed package (either the cost of the CD or the multi-CD set at MSRP). For songs with DRM on it, the $0.99 price should be reduced to reflect the restricted nature of the product.

    Would I pay $0.99 per song? No. I believe that the artists of the songs should be the main recipients of the income, much in the same way that I believe that farmers should be the recipients of the cost of food I purchase. Next should come the retailers of the product who act as "intermediary" purchasers - sine they should assume a risk if the product does not sell. Last should come the supplemental manufacturing chains - such as the studios that maintain the costly equipment to record the songs and pay the engineers to make it sound perfect. The current system does not support this pricing structure.

    Of course, the RIAA tactics have prevented me from buying music for several years. I will not buy original CDs, used CDs (which helps drive the original CD markets), or digital songs due to what I view as criminal extortion (the 'settle for $3k or we'll sue and cost you more than $3k in legal fees' tactic). Honestly, its not all that bad - I've rediscovered the pleasure of reading again... that, and I now have time to come to Tom's and post! :) 
  • 0 Hide
    mrcheesle , March 16, 2009 7:53 AM
    Consider it part of the new stimulus plan, it's great for economic recovery! Woops, nm...
  • 0 Hide
    duzcizgi , March 16, 2009 8:53 AM
    Although I told piracy isn't stealing most of the time, *this* is not piracy, *this* is stealing.
    Don't know what they were thinking at Apple, but, relying on an algorithm to verify authenticity of a code, but not to check them up from a database called for the trouble. It's plain stupid.
Display more comments