Apple has issued an advisory to warn that malicious hackers can rig audio files to hijack usernames and passwords from its popular iTunes media player.

The company described the bug as a “design issue” in the iTunes podcast feature can be abused via rigged audio files to cause an authentication dialog to be presented to the user.  From that dialog, a hacker can hijack iTunes credentials and upload it to the podcast server.

From Apple’s advisory [Apple.com]:

  • A design issue exists in the iTunes podcast feature. A subscription to a malicious podcast may cause an authentication dialog to be presented to the user. This dialog may entice the user to send iTunes credentials to the podcast server.

Apple has shipped a patch in iTunes 8.1 to clarify the origin of the authentication request in the dialog box.

More coverage at ZDNet.com and CNet News.com.

Categories: Social Engineering, Vulnerabilities