In-app hack creator admits defeat, says 'it's all over…for now'
In a blog post on his website on Monday titled "It's all overâ¦for now," Alexey Borodin said there is no way to bypass the new APIs Apple rolled out late last week as a quick fix for the revenue-stealing exploit made public earlier in July, reports The Mac Observer.
Word of the exploit, which validated fraudulent purchases by routing them through a specialized DNS server which spoofed digital receipts, first came a little over a week ago. Apple responded by blocking the IP addresses associated with Borodin's workaround and attempting to shut down the DNS servers hosting the dubious receipt validations.
The iPhone maker announced a temporary solution to plug the hole days later and announced that a permanent fix would be present in the upcoming iOS 6 mobile operating system.
Screenshot of Borodin's iOS in-app purchase workaround in action.
From Borodin's Monday blog post:
Hello everyone.
By examining last apple's statement about in-app purchases in iOS 6, I can say, that currently game is over. Currently we have no way to bypass updated APIs. It's a good news for everyone, we have updated security in iOS, developers have their air-money.
But, service will still remain operational until iOS 6 comes out.
The another thing is for in-appstore for OS X. We still waiting for apple's reaction and we have some cards in the hand. It's good that OS X is open.
Apple's solution leverages receipts which carry a "unique identifier" to validate in-app purchases. The previous system merely generated generic receipts with no specific user data attached, thus allowing for easily spoofed validations. It remains unclear what type of unique identifier is being used, though some have speculated it could be a proprietary system based on UDID data.
An email regarding the security changes was issued last Friday which asked developers to take necessary precautions listed on a special support page. As part of the fix content makers were given access to two private Apple APIs for the express purpose of validating in-app purchases with Apple's new system.
12 Comments
Oi! How do you say, 'screw you' in Russian? This guy wants our sympathy, he can forget it.
On a related note…
The guy wanted some fame and hopefully a few usable credit card numbers. He got at least one of them. As for the pat he's giving himself, the fix has been there for a while if developers wanted to use it so all he did was kick a few of the lazier ones in the ass. He really didn't cause some major OS change like he wants folks to think. The stuff in ios 6 was triggered by the jailbreak not him
It's amazing that people would give their account details to some Russian website/hacker in order to save 99 cents here and there. Why certainly! And why aren't those users on Android?
It's still quite shocking that Apple isn't properly fixing this for another few months. The exploit is only fixed if developers put the effort in and update their own apps, because of a flaw in Apple's own software.
We all remember the DigiNotar mess - Apple took weeks to fix that as well. And last week Adobe suffered the same pain as all the iOS developers when their software stopped working because of a change Apple had made.
It's still quite shocking that Apple isn't properly fixing this for another few months. The exploit is only fixed if developers put the effort in and update their own apps, because of a flaw in Apple's own software.
Most apps are not affected by this because they don't use the IAP system. Even in those that do many are not affected because they used the previously built in checks system that has been around for a while.
This issue won't affect any users unless they use it and if they are that greedy and or were that stupid and greedy that's not Apple's fault. If developers are so lazy that they won't do that is perhaps a few hours work to add the change (which Apple spells out in detail) that's not Apple's fault. Nor is it a 'flaw' that Apple attempted to trust the developers and users to be good honest folks. Well actually it is a flaw but not in the software, the flaw is that Apple ever had that belief.
As for the Adobe comment, most of the time that software stops working due to a change, that change was broadcast to folks ahead of time so it's not Apple's fault that someone didn't keep up. This is true of this issue given that Apple released a beta of the 10.7.4 update to the developers in advance. If Adobe's people had been doing their jobs they would have seen the change and updated appropriately. They weren't and they didn't.