Some days ago, I decided to give last.fm a try. Since the website itself is pretty much useless without the standalone “scrobbing” app, I downloaded and installed it. I had iTunes running while it was installing and running it for the first time. To my surprise, last.fm’s Mac client closed iTunes without asking. No matter, I restarted iTunes right away and it was OK. A day later, I decided to quit using last.fm and deleted the app. During all that time, I didn’t close iTunes.
Now to the scary part: a few hours later, I wanted to log into my iTunes Store account to redeem a code and here’s what happened:
Obviously the login didn’t work. I tried a wrong password and got a different (more appropriate) error message so it wasn’t an authentication or connectivity issue.
What might not be obvious for everyone is that the red text references a Java exception and a term used in the Java Virtual Machine (the PermGen space). So far so good but the funny thing is that iTunes is not written in Java! Restarting iTunes solved the problem but thinking about it afterwards made me realize what might have been happening here…
I’m not accusing last.fm but looking at the facts, there’s a slight possibility that their client intercepts iTunes Store logins! (well I guess I might be accusing them somehow now…)
- Having used the iTunes API myself (on windows), I know it’s not necessary to restart iTunes in order to get information about the track that’s currently being played. However, since last.fm isn’t supposed to do more than that, why in god’s name did it restart iTunes? Not asking for it makes it even more suspect…
- After uninstalling the last.fm software, maybe some of its Java code from within iTunes was trying to gather my login data, throwing an error because it couldn’t reach the last.fm software for submitting it?!
I insist that this is total speculation, I know the last.fm software is open source and that it claims not being spyware but please, explain to me why some java code has something to do with “FieldName” in the iTunes Store login box?! You’ve got to admit that that’s suspect!! At least suspect enough for me to not use it anymore and to write this article.
Besides, -let’s be really paranoid for a second- even though the “good” source code may be available, nothing prevents them from compiling an “altered” version of their client and providing that for binary download. Most (non-geek) people don’t install from source anyway and, since it’s binary, no one might ever notice any difference. Oh, and did I mention this is still speculation?
Anyhow, the observations are all real and no one has proven the contrary so there is a slight chance I might be right. Now, if anyone has an explanation for this, feel free to reply!