ufuk on Hacker News

Since iTunes Match will be sending to Apple server the fingerprints of the songs on one's computer, could one not, theoretically, fake iTunes into believing that an audio file with a given fingerprint actually exists on your computer?

This attack vector was used by Dropship to transfer files across Dropbox accounts (Ref: http://razorfast.com/2011/04/25/dropbox-attempts-to-kill-open-source-project/), but the implications were minor since, from a security perspective, the attack was on a fellow user. Here the attack is on the iTunes system as a whole, and enables you to download songs that you have not purchased and have not ripped or downloaded.

I can already imagine networks popping up where people share their audio fingerprints.

3ufuk15y ago3

ufuk

Recent submissions

One engine, many tools – Introducing Rubydex (opens in new tab)

New for Ruby 3.4: Modular Garbage Collection and MMTk (opens in new tab)

Prism (new Ruby parser) in 2024 (opens in new tab)

Linking Rust and C: Practicing Symbol Hygiene (opens in new tab)

Static Typing for Ruby: Adopting Sorbet at Scale (opens in new tab)

Show HN: SlackThemes – Make Slack pretty with custom themes (opens in new tab)

Show HN: A! - location based reminder app for iOS (opens in new tab)

Google+ for Google Apps domains is in the works (opens in new tab)

Ask HN: Can't iTunes Match be used to actually "pirate" content?