Apple's iTunes Affiliates site briefly subjected to image swaps

Josh Carr
J. Carr|11.03.09

Sponsored Links

Josh Carr
November 3, 2009 8:00 PM
In this article:, bug, hack, images, itunes, xss
Apple's iTunes Affiliates site briefly subjected to image swaps
Our friends over at OS X Daily passed along their story noting that Apple's site for iTunes Affiliates was vulnerable to a cross-site URL trick, letting you substitute your own images for the ones normally displayed on the page. Since the site is intended to let websites display a custom top banner, this was 'as designed' -- at least until jokesters began taking advantage.

The trick works (or at least, it did) by taking the default URL from the web browser and replacing a few things like the artist name, album name, album thumbnail source and the image link.

The Internet moves pretty fast, though. As I was typing this, Apple removed the top banner altogether, preventing the customized image display. No more pranks for us.

In any case, OS X Daily pointed out that the image issue could allow malicious folks to redirect would-be Apple visitors to malware sites or other bad destinations. Even an innocent image viewer that appears within an iframe on a branded page can cause problems; that's what the folks at Wired found out last January, when someone took advantage of their image tool to post a hoax "Steve Jobs had a heart attack" news story.

Props to Apple's web development team, though, for taking this down within the ten minutes it took me to finish the post.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Popular on Engadget