Our friends over at OS X Daily passed along their story noting that Apple's site for iTunes Affiliates was vulnerable to a cross-site URL trick, letting you substitute your own images for the ones normally displayed on the page. Since the site is intended to let websites display a custom top banner, this was 'as designed' -- at least until jokesters began taking advantage.
The trick works (or at least, it did) by taking the default URL from the web browser and replacing a few things like the artist name, album name, album thumbnail source and the image link.
The Internet moves pretty fast, though. As I was typing this, Apple removed the top banner altogether, preventing the customized image display. No more pranks for us.
In any case, OS X Daily pointed out that the image issue could allow malicious folks to redirect would-be Apple visitors to malware sites or other bad destinations. Even an innocent image viewer that appears within an iframe on a branded page can cause problems; that's what the folks at Wired found out last January, when someone took advantage of their image tool to post a hoax "Steve Jobs had a heart attack" news story.
Props to Apple's web development team, though, for taking this down within the ten minutes it took me to finish the post.