Archive for the ‘purchase receipts’ tag
It’s been 10 days since Russian hacker Alexey Borodin unleashed hell for Apple with his iOS in-app purchasing exploit. But after successfully countering some of Apple’s attempts to shut him down, Borodin is calling it quits on his iOS hack. Instead, he’s going to focus more on his Mac OS X exploit, unveiled over the weekend.
“By examining Apple’s last statement about in-app purchases in iOS 6, I can say that currently game is over,” Borodin wrote in a blog post, referring to Apple’s fix for developers against his exploit. “Currently we have no way to bypass updated APIs. It’s good news for everyone, we have updated security in iOS, developers have their air-money.”
Borodin went on to say that he will continue running his iOS exploit service until iOS 6 comes out. Apple has offered developers early access to some APIs to secure their in-app purchases, but it won’t be able to widely fix Borodin’s exploit until iOS 6 is released.
He hinted that he has something in store for Apple’s Mac OS X app store. That exploit is similar to the iOS in-app hack, but it also requires a separate app called “Grim Receiper” to function. Apple hasn’t yet responded to Borodin’s OS X hack, but I would imagine that it would be tougher to fix, since the desktop OS is more open than iOS.
As I’ve written previously, Borodin is taking advantage of Apple’s shortsightedness when it comes to in-app purchases. Instead of tying purchases directly to customer accounts or devices, Apple’s in-app purchase receipts can be easily reused with Borodin’s method, as ZDNet’s Emil Protalinski points out. On iOS, Apple also sent customers’ Apple IDs and passwords in plain text, which could allow the hacker to easily collect login credentials. It’s unclear if that’s the case for the Mac exploit.
The latest hack, which affects OS X 10.7 and above (earlier versions don’t support in-app purchases), also relies on tricking Apple’s very basic receipt system for in-app purchases.
Borodin’s latest exploit method doesn’t differ too much from his original iOS hack: You simply need to install two system certificates, change your DNS settings to point to his server, and use a new app call “Grim Receiper.” The app is the only unique element of the Mac OS X hack, and it serves to keep track receipts for you to reuse, according to Borodin’s explanation.
Basically, Borodin is taking advantage of Apple’s shortsightedness when it comes to in-app purchases. Instead of tying purchases directly to customer’s user accounts or devices, Apple’s in-app purchase receipts can be easily reused with Borodin’s method, as ZDNet’s Emil Protalinski points out. On iOS, Apple also sent customers’ Apple IDs and passwords in plain text, which could allow the hacker to easily collect login credentials. It’s unclear if that’s the case for the Mac exploit.
Apple last night announced that iOS 6 will fix Borodin’s iOS hack, and earlier this week it started attaching unique device IDs (UDIDs) to in-app purchase receipts. For now, developers need to authenticate in-app purchase receipts before they get sent to Apple’s servers.
Apple initially tried to cut off Borodin from its servers using his IP address and urged his ISP to shut down his website. As VentureBeat’s security guru Meghan Kelly tells it, Borodin was eventually able to relaunch his website via an off-shore ISP and figured out another way to steal in-app purchases without using the App Store.
We’re interested in seeing where this game of cat and mouse goes. We’ve dropped a line to Apple for further comment on the news.
Borodin is now accepting donations via Bitcoin, after PayPal stopped accepting donations to him.
Apple gave developers a temporary way to stem the flow of stolen in-app purchases today, after a Russian hacker published a technique for downloading goods without paying for them. The issue overall should be fixed in iOS 6, the company says.
According to 9to5Mac, Apple identified the issue in an e-mail to developers, saying it stems from a vulnerability in iOS 5.1 and earlier. Russian hacker Alexey V. Borodin exploited the vulnerability and later published a video to YouTube (which has since been removed) that explained how to use the hack. Here’s what the e-mail said:
A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker’s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid.
iOS 6 will address this vulnerability. If your app follows the best practices described below then it is not affected by this attack.
Prior to the release of iOS 6, however, Apple urges developers to have in-app purchase receipts sent to personal servers for validation before being sent back to Apple’s App Store servers. It has also provided a bit of code developers can use to protect themselves. The hack is fairly user-friendly and doesn’t involve jail-breaking the phone, which makes it even more of a thorn in a developers’ side. This sort of stealing cuts off a major source of revenue for iOS developers, particularly those who make free-to-play apps.
After finding out about the hack, Apple went after Borodin, cutting off his IP address’ access to the company’s servers. It also asked Borodin’s Internet service provider to shut down his website, which was collecting donations to keep the hack running, and requested that YouTube take down the video he uploaded explaining the hack.
PayPal has since shut down donations to Borodin.
However, Borodin was later able to reinstate the website using an off-shore ISP and figured out a way to continue stealing in-app purchases without accessing the App Store. Apple responded Wednesday by sending in-app purchase receipts to developers with a UDID assigned to each one. The UDID is a means to identify a phone and could be used to see who is using the hack.
hat tip 9to5Mac; Screen shot via Borodin’s removed YouTube video
Apple is continuing its fight against a Russian hacker who is supplying a way for iPhone users to download in-app purchases without paying. The company is now including a unique identifier in all in-app purchase receipts, according to MacRumors.
Last week Russian hacker Alexey V. Borodin developed a way for iPhone users to steal in-app purchases without having to jailbreak their phones. The method involved installing two security certificates and change the DNS settings on the phone to download in-app purchases over a special connection. Apple soon came after Borodin, shutting down his IP’s access to Apple servers and asking his Internet service provider to take down his website, In-App.com. Borodin, however, dodged Apple’s efforts by setting up his website outside of Russia and devising a way to steal in-app purchases without going through Apple’s App Store servers.
However, Apple isn’t giving up just yet. As MacRumors observes, the company is now tracking the UDID associated with each in-app purchase. That is, Apple is watching the unique identifier associated with each phone that performs this transaction. It is then sending that data on the receipts to the developers.
Apple recently decided to start rejecting applications using UDIDs, since gathering data from them is a slippery privacy slope. MacRumors notes that this could be a placeholder for a new type of identification that will be associated with each in-app purchase, or it could be that Apple wants to know which users specifically are stealing in-app purchases using Borodin’s system.
For now, Borodin continues to use his YouTube account, ZonD80, to promote his tactics, though Apple had his first video introducing the hack taken down.