Ask HN: Can't iTunes Match be used to actually "pirate" content?
Since iTunes Match will be sending to Apple server the fingerprints of the songs on one's computer, could one not, theoretically, fake iTunes into believing that an audio file with a given fingerprint actually exists on your computer?
This attack vector was used by Dropship to transfer files across Dropbox accounts (Ref: http://razorfast.com/2011/04/25/dropbox-attempts-to-kill-open-source-project/), but the implications were minor since, from a security perspective, the attack was on a fellow user. Here the attack is on the iTunes system as a whole, and enables you to download songs that you have not purchased and have not ripped or downloaded.
I can already imagine networks popping up where people share their audio fingerprints.
3 comments
[ 2.3 ms ] story [ 18.6 ms ] threadMy question, however, is whether it is even necessary to download any illegitimate content. Nobody needs to upload any music to any servers (iTunes Match claims not to), all they need to do is to trick iTunes to make it look like "Song X.mp3" is actually on their hard-drive. In order to do that all people need to find out is what data iTunes sends to mothership about a particular song. A similar feat was achieved by Dropship.
So it does scan, not require an upload unless it's not matched. Very interesting. It's not a service I'll be using, though.