Someone could make an iframe with what looked like the Apple login and trick people into "logging in". Then they distribute the URL via shortened URLs through Twitter and grab a bunch of Apple logins.
Free iTunes until you get caught. Chances are Apple would be able to track who downloaded what onto what Apple devices. I'm sure retribution would be swift and thorough.
In my opinion that does count as an XSS attack, though it perhaps does not use the traditional techniques. (This for those who have said that this is actually not an XSS attack.)
