In-app hack creator admits defeat, says 'it's all over?for now'
The Russian hacker responsible for discovering a system to sidestep paying for in-app purchases confirmed on Monday that Apple's newly-instituted receipt validation system is effective.
In a blog post on his website on Monday titled "It's all over?for now," Alexey Borodin said there is no way to bypass the new APIs Apple rolled out late last week as a quick fix for the revenue-stealing exploit made public earlier in July, reports The Mac Observer.
Word of the exploit, which validated fraudulent purchases by routing them through a specialized DNS server which spoofed digital receipts, first came a little over a week ago. Apple responded by blocking the IP addresses associated with Borodin's workaround and attempting to shut down the DNS servers hosting the dubious receipt validations.
The iPhone maker announced a temporary solution to plug the hole days later and announced that a permanent fix would be present in the upcoming iOS 6 mobile operating system.
Screenshot of Borodin's iOS in-app purchase workaround in action.
From Borodin's Monday blog post:
An email regarding the security changes was issued last Friday which asked developers to take necessary precautions listed on a special support page. As part of the fix content makers were given access to two private Apple APIs for the express purpose of validating in-app purchases with Apple's new system.
Most recently, Borodin created a workaround for in-app purchasing in OS X apps using an identical method to his iOS hack. Apple has yet to issue a statement regarding the matter.
In a blog post on his website on Monday titled "It's all over?for now," Alexey Borodin said there is no way to bypass the new APIs Apple rolled out late last week as a quick fix for the revenue-stealing exploit made public earlier in July, reports The Mac Observer.
Word of the exploit, which validated fraudulent purchases by routing them through a specialized DNS server which spoofed digital receipts, first came a little over a week ago. Apple responded by blocking the IP addresses associated with Borodin's workaround and attempting to shut down the DNS servers hosting the dubious receipt validations.
The iPhone maker announced a temporary solution to plug the hole days later and announced that a permanent fix would be present in the upcoming iOS 6 mobile operating system.
Screenshot of Borodin's iOS in-app purchase workaround in action.
From Borodin's Monday blog post:
Apple's solution leverages receipts which carry a "unique identifier" to validate in-app purchases. The previous system merely generated generic receipts with no specific user data attached, thus allowing for easily spoofed validations. It remains unclear what type of unique identifier is being used, though some have speculated it could be a proprietary system based on UDID data.Hello everyone.
By examining last apple's statement about in-app purchases in iOS 6, I can say, that currently game is over. Currently we have no way to bypass updated APIs. It's a good news for everyone, we have updated security in iOS, developers have their air-money.
But, service will still remain operational until iOS 6 comes out.
The another thing is for in-appstore for OS X. We still waiting for apple's reaction and we have some cards in the hand. It's good that OS X is open.
An email regarding the security changes was issued last Friday which asked developers to take necessary precautions listed on a special support page. As part of the fix content makers were given access to two private Apple APIs for the express purpose of validating in-app purchases with Apple's new system.
Most recently, Borodin created a workaround for in-app purchasing in OS X apps using an identical method to his iOS hack. Apple has yet to issue a statement regarding the matter.
Comments
Oi! How do you say, 'screw you' in Russian? This guy wants our sympathy, he can forget it.
On a related note…
As for the pat he's giving himself, the fix has been there for a while if developers wanted to use it so all he did was kick a few of the lazier ones in the ass. He really didn't cause some major OS change like he wants folks to think. The stuff in ios 6 was triggered by the jailbreak not him
It's amazing that people would give their account details to some Russian website/hacker in order to save 99 cents here and there. Why certainly! And why aren't those users on Android?
It's still quite shocking that Apple isn't properly fixing this for another few months. The exploit is only fixed if developers put the effort in and update their own apps, because of a flaw in Apple's own software.
We all remember the DigiNotar mess - Apple took weeks to fix that as well. And last week Adobe suffered the same pain as all the iOS developers when their software stopped working because of a change Apple had made.
Quote:
Originally Posted by neiltc13
It's still quite shocking that Apple isn't properly fixing this for another few months. The exploit is only fixed if developers put the effort in and update their own apps, because of a flaw in Apple's own software.
Most apps are not affected by this because they don't use the IAP system. Even in those that do many are not affected because they used the previously built in checks system that has been around for a while.
This issue won't affect any users unless they use it and if they are that greedy and or were that stupid and greedy that's not Apple's fault. If developers are so lazy that they won't do that is perhaps a few hours work to add the change (which Apple spells out in detail) that's not Apple's fault. Nor is it a 'flaw' that Apple attempted to trust the developers and users to be good honest folks. Well actually it is a flaw but not in the software, the flaw is that Apple ever had that belief.
As for the Adobe comment, most of the time that software stops working due to a change, that change was broadcast to folks ahead of time so it's not Apple's fault that someone didn't keep up. This is true of this issue given that Apple released a beta of the 10.7.4 update to the developers in advance. If Adobe's people had been doing their jobs they would have seen the change and updated appropriately. They weren't and they didn't.
Quote:
Originally Posted by neiltc13
The exploit is only fixed if developers put the effort in and update their own apps, because of a flaw in Apple's own software.
Mr Borodin is coming across as an utter jerk in the way he has handled this issue.
And I must admit to being quite disappointed by the number of big name iOS developers who still don't appear to have taken the effort to have updated their apps to include Retina display support, four months after the debut of the new iPad.
Yeah, Adobe, I'm looking at you.
And to think graphics are part of their core business.
It will be interesting to see how many react quickly to protect their potential income instead.
Quote:
Originally Posted by neiltc13
It's still quite shocking that Apple isn't properly fixing this for another few months. The exploit is only fixed if developers put the effort in and update their own apps, because of a flaw in Apple's own software.
We all remember the DigiNotar mess - Apple took weeks to fix that as well. And last week Adobe suffered the same pain as all the iOS developers when their software stopped working because of a change Apple had made.
Oh I don't take the same take as you. It seems to me that every exploit that Apple has learned of has been taken seriously and has eventually been corrected. They have a pretty good track record that way. Just because they don't make knee jerk decisions and quickly throw out some messy code fix, doesn't mean that Apple isn't fixing the flaw. They take a little more time, but do it right. I'm just sayin'.
There are other Operating System companies out there that don't handle exploits nearly as quickly or efficiently as Apple. They shall remain nameless, you can figure it out.
Quote:
Originally Posted by SixnaHalfFeet
There are other Operating System companies out there that don't handle exploits nearly as quickly or efficiently as Apple. They shall remain nameless, you can figure it out.
But… patch Tuesdays…
Quote:
Originally Posted by Tallest Skil
But… patch Tuesdays…
Don't forget "Exploit Wednesdays"!
Or RIM's layoff Thursday's jested on the nyt and wsj.
Quote:
Originally Posted by mrstep
It's amazing that people would give their account details to some Russian website/hacker in order to save 99 cents here and there. Why certainly! And why aren't those users on Android?
Obviously because they're sleazy Apple fans not capable of using real slick phones?
Really, that kind of pseudo-question is ridiculously lame... I do agree with you on the "giving account details to a russian website" part...
Quote:
Originally Posted by Tallest Skil
Oi! How do you say, 'screw you' in Russian? This guy wants our sympathy, he can forget it.
Well, I won't judge given I don't have any idea who he is, but isn't exposing hidden issues a good thing? I mean, people seem to have abused that loophole silently to steal revenue from developers, and now that Borodin has caused that ruckus, money flows back to the hard-working ones, no?
Quote:
Originally Posted by lightknight
…isn't exposing hidden issues a good thing?
And I'd be praising him if that had been his actual intent.