Only 24 hours after the launch of Apple’s new social network, Ping, the service has been overrun by spammers. The fraudsters have created iTunes profiles and are posting links to a number of online scams, including ones that promises “free iPhones” or “free iPads” in exchange for filling out online surveys. For the most part, these suspicious links are being posted in the comments sections of the most popular artists on Ping, like Lady Gaga, Katy Perry, U2 and others, all of whom are among the recommended accounts linked to from the Ping homepage.
As security expert Chester Wisniewski points out, Apple doesn’t require a credit card or any other positive identification in order to establish an account on Ping, which itself is a part of newly launched iTunes 10. Doing so wouldn’t be advisable, either, as it would lock out a lot of “credit card-less” kids, teens and young adults from using iTunes. There’s actually quite a bit of free content available from the iTunes Store, from apps to music to video, allowing parents to feel comfortable in letting their children manage their own iTunes accounts without close supervision.
Given those lax sign-up requirements, however, it’s somewhat surprising that Apple didn’t build in a good spam filtration system into its social network, too. The types of links being posted now are what any halfway decent blog commenting system like Disqus or Echo would pick up automatically, or at least flag for review, especially since the posts contain links.
Although not mentioned by Wisniewski, we think the lack of attention to this security detail should have new Ping users concerned, or at least wary. If Ping’s spam filter (assuming one even exits) doesn’t block links to obvious online scams, how can we be sure it’s blocking links of a more nefarious nature – like those to sites containing viruses, trojans or other phishing scams?
Where’s the Spam Filter?
What’s odd is that Apple is managing other aspects of the Ping network’s security. User profile pictures have to be approved before becoming visible; we’ve yet to see blatantly offensive comments or posts, which seems to indicative some sort of filter; and, as the Apple-watching blog MacRumors notes, there is a “report activity” mechanism in place. Clicking the “report” link on any spammer’s comment brings up a dialog box of choices such as “offensive comments,” “inappropriate photo or video” and “spam.”
But typically a report mechanism would be used to deal with the items the spam filter missed, not as the first line of attack. Due to the rampant nature of the spam – we’ve yet to see an artist profile not affected by this problem – that means that either Ping’s spam filter needs major improvement or the report mechanism is the only spam filter Apple has.
We would ask Apple for comment on this, but they never return our calls. (Working in Apple PR must be a great, right?) So we’ll just leave you with this warning instead: You can’t get a free iPhone from filling out an online survey, OK? Don’t click those links.
