or Connect
AppleInsider › Forums › General › General Discussion › Hack allows free access to in-app iOS purchases [u]
New Posts  All Forums:Forum Nav:

Hack allows free access to in-app iOS purchases [u]

post #1 of 68
Thread Starter 
A video released on Wednesday reportedly details an iOS "hack" that allows free access to in-app purchases for certain apps and is likely to cause developers to lose money until the hole is patched.

Editor's note: AppleInsider does not condone illegal activity or EULA abuse and in no way endorses the activity described below. As such this article is presented purely for discussion.

According to a report by MacWorld, Russian coder Alexey V. Borodin is responsible for finding and taking advantage of the exploit which was subsequently posted to YouTube. As of this writing the video had accumulated over 2,000 views.

The process entails installing forged digital certificates onto an iOS device and connecting to a unique DNS server which the app believes to be Apple's official App Store. Borodin explains that the server then sends spoofed code receipts, normally issued by Apple, to the app which in turn validates the purchase. He goes on to say that the receipts were "easy to spoof" because they are generic and contain no specific user data.

While other hacks require a jailbroken iOS device able to run proprietary code, the newest iOS exploit simply takes advantage of what can be perceived as a hole in Apple's purchasing system.

Apparently Borodin created the bypass as a "challenge" to developers of CSR Racing, a so-called "freemium" app that costs nothing to download but offers exclusive in-app purchases to unlock special content.

?I set this up due to hungry and lazy developers, Borodin wrote in an instant message conversation with the publication. "I was very angry to see that CSR Racing developer taking money from me every single breath.?

App Hack
Screenshot of Borodin's in-app purchasing workaround being used on CSR Racing. | ZonD80's YouTube channel


Instapaper developer Marco Arment believes that the hack will only work for one-time in-app purchases while subscription-based buys should be unaffected.

?It probably won?t affect the auto-renewing subscriptions, since they rely on a lot of server-side processing to track, but it wouldn?t surprise me if it could affect any other [in-app purchase] type (including non-renewable ?subscriptions? like what Instapaper uses) if the apps don?t check with Apple?s verification servers from their own web services,? Arment writes.

Employing the hack not only affects developers' incomes but users could face negative implications as well and the fault may lie with Apple's purchasing system.

?I can see the Apple ID and password [of users who use the hack],? Borodin said. ?But not the credit card information.? It appears that Apple's system passes both bits of sensitive information to the Apple Store server in unencrypted plain text.

The exploit is likely an easy fix for Apple, said developer Marco Tabini, though a patch woud likely involve a software update.

Borodin claims that he is not worried about any legal action from Apple and instead took a different spin on the situation: ?I?m a happy user of iPhone 4S ? I think they will hire me.?

Update: Apple caught wind of Borodin's successful App Store receipt validation scheme and has issued the following statement (via The Loop):

?The security of the App Store is incredibly important to us and the developer community, Natalie Harrison, told The Loop. ?We take reports of fraudulent activity very seriously and we are investigating.?

post #2 of 68
Okay, why are we reporting this at all?

"To get the word out and make sure Apple and developers know about it."

Still.

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already f*ed.

 

Reply

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already f*ed.

 

Reply
post #3 of 68
Quote:
Originally Posted by Tallest Skil View Post

"To get the word out and make sure Apple and developers know about it."
post #4 of 68
As a developer, I'd like to address Alexey with this... I'm an app developer who is neither lazy nor greedy. I'm trying to make a paycheck and it takes time and energy to create value in apps. We want to keep the cost of our app low, so we use in-app purchases when we add new features that not everyone wants to pay for. We already deal with the app being pirated and now we have the prospect of in-app purchases being stolen as well.

Why don't you get a life and actually try to improve upon your world instead of stealing from hard working developers who are trying to make a living?
post #5 of 68

This is probably better not blasted all over every Apple fansite.

post #6 of 68
Quote:
Originally Posted by Negafox View Post

This is probably better not blasted all over every Apple fansite.

Probably so, but too late because AI was actually late to this party.

Who really wants to pass their user name and password to Russia? Please people, you're only asking for trouble if you use this hack.
post #7 of 68
Basically, the equivalent of "I'm mad this game costs so much, so I broke into the store and took it, and I'm going to show you how to do the same so I can teach these greedy developers a lesson."

Yeah, or you could simply not buy it. But hey, some people think they are entitled to steal.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #8 of 68
Quote:
Originally Posted by Suddenly Newton View Post

Yeah, or you could simply not buy it. But hey, some people think they are entitled to steal.

That's exactly the mindset.

"I can't afford it, so I'm entitled to download it for free. This can't be illegal."

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already f*ed.

 

Reply

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already f*ed.

 

Reply
post #9 of 68
Quote:
Originally Posted by GregInPrague View Post


Probably so, but too late because AI was actually late to this party.
Who really wants to pass their user name and password to Russia? Please people, you're only asking for trouble if you use this hack.

"Editor's note: AppleInsider does not condone illegal activity or EULA abuse and in no way endorses the activity described below. As such this article is presented purely for discussion."

 

Bullshit. It is despicable that AI would publish this crap. You might as well publish the IP addresses of all the torrent sites and publish a little tutorial on how to steal software and music. I saw this on MacRumors early this morning. You know what one lowlife, dirt/douche bag posted? "Me want!"

 

 

post #10 of 68
Quote:
Originally Posted by Tallest Skil View Post


That's exactly the mindset.
"I can't afford it, so I'm entitled to download it for free. This can't be illegal."

 

This is why movies, songs and software are pirated by nearly all young people throughout Europe.  "I wouldn't pay for it, so they're not losing money if I take it."  Most people that I know under 35 years old go to the movies maybe twice a year, everything else is pirated.  So far there are no consequences, so what argument is there against it?  When you talk about morality you get laughed at.

post #11 of 68
Quote:
Originally Posted by AppleInsider View Post


Editor's note: AppleInsider does not condone illegal activity or EULA abuse and in no way endorses the activity described below. As such this article is presented purely for discussion.

 

Oh of course, but you'll be happy to give you the hacker's YouTube channel and enjoy the ad revenue from all the page hits. 

post #12 of 68
Quote:
Originally Posted by GregInPrague View Post

This is why movies, songs and software are pirated by nearly all young people throughout Europe.  "I wouldn't pay for it, so they're not losing money if I take it."  Most people that I know under 35 years old go to the movies maybe twice a year, everything else is pirated.  So far there are no consequences, so what argument is there against it?  When you talk about morality you get laughed at.

So how do we change this? What needs done to get these morons back on track?

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already f*ed.

 

Reply

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already f*ed.

 

Reply
post #13 of 68
Quote:
Originally Posted by Suddenly Newton View Post

Basically, the equivalent of "I'm mad this game costs so much, so I broke into the store and took it, and I'm going to show you how to do the same so I can teach these greedy developers a lesson."
.

And use your greed to steal your Apple ID and password so I can buy a ton of stuff and sell it on eBay. I'll get my cousins in America to help me by buying it to pickup in store with their name as okay to pick up for you. In and out before you know what hit you, you lazy greedy turd.

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #14 of 68
Quote:
Originally Posted by Tallest Skil View Post

So how do we change this? What needs done to get these morons back on track?

Short of catching them and putting them and the torrent etc site owners in jail for life, nothing

The best you can do is curb the ones that has a solveable reason. Like they say they do it cause iTunes only has 480p video or no subtitles/language tracks, the cost, it doesn't come to their country etc.

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #15 of 68
Quote:
Originally Posted by charlituna View Post

Short of catching them and putting them and the torrent etc site owners in jail for life, nothing

Could get all ISPs to block all P2P.

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already f*ed.

 

Reply

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already f*ed.

 

Reply
post #16 of 68
Quote:
Originally Posted by Tallest Skil View Post


So how do we change this? What needs done to get these morons back on track?



In the current climate I don't know how you can.  If the society can't agree whether truth is relative or not how can you say what is right or wrong?  When elected officials are consistently getting away with obvious corruption why should a teenager feel guilty about downloading a few movies?  In my opinion piracy won't diminish until either A) Laws are put into place with real teeth (they've tried and there's been huge backlash across Europe in the last year) or B) There's a significant spiritual change in the region.

post #17 of 68
Quote:
Originally Posted by GregInPrague View Post


Probably so, but too late because AI was actually late to this party.
Who really wants to pass their user name and password to Russia? Please people, you're only asking for trouble if you use this hack.

 

It takes an amazing combination of a sense of entitlement to everything for free and sheer stupidity to re-route your internet traffic through an untrusted Russian server just to save a few bucks.

post #18 of 68

Yay for "free acces"!

post #19 of 68
Quote:
Originally Posted by Tallest Skil View Post


Could get all ISPs to block all P2P.

 

You really think anyone could convince all the ISPs in the world to block such things

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #20 of 68

Quote:
Originally Posted by Tallest Skil View Post


So how do we change this? What needs done to get these morons back on track?

 

You say that as though anyone who pirates movies is the scum of the earth. And to be honest, it's one of the lesser problems on the internet. Focus needs to be on serious offences, like paedophilia. Not downloading a movie that's already grossing hundreds of millions of dollars (or software from a multibillion company, like Apple, Microsoft or Adobe).

 

Quote:
Originally Posted by Tallest Skil View Post


Could get all ISPs to block all P2P.
 

Impossible. Many services use P2P that aren't torrent sites.

post #21 of 68
Quote:
Originally Posted by Tallest Skil View Post

So how do we change this? What needs done to get these morons back on track?

Simple really:

http://www.youtube.com/watch?feature=player_detailpage&v=xMk4cW9Zpj4#t=4794s

Make it more worthwhile to pay for it than to steal it. Unfortunately, not so simple to implement such a system in a digital era.

With digital content, there is such a disconnect between cause and effect that the gains from honesty are as unrecognisable as the damage done by dishonesty.

The content providers don't help matters by blocking content by region and providing it after long periods of time through exclusive/expensive distribution channels, by implementing restrictive DRM and by using measures to extort money from users via hidden charges.

People wouldn't steal movies quite so much if new movies went straight to Blu-Ray but the movie industry has managed to persuade people that a movie going direct to video/DVD/Blu-Ray means it's a failed movie when in fact, the distribution format means nothing about the quality. It's just that the movie industry knows that controlling the distribution means they can control the profits. Once it goes to retail, their control is gone.

The music industry has embaced DRM-free audio but no such luck with DRM-free video yet. I think this is due to music files being so small that it is hard to have a service where people can find what they want and get consistent quality so iTunes ends up being more worthwhile as it's 99c per song and you can find as much music as you like with quality control. If a movie is $10-15 and only comes on a DRM disc or download and you can't put it on a mobile device easily, paying for it is worse than stealing it.

I think the app issue is a minor one because the App Store works in a similar way to music. Lots of inexpensive content where it's harder to steal than pay for it. If the App Store content is worth paying for, people will generally pay for it. There certainly won't be a significant volume of the 300 million+ users who go out of their way to steal the content.
post #22 of 68
Quote:
Originally Posted by jkichline View Post

As a developer, I'd like to address Alexey with this... I'm an app developer who is neither lazy nor greedy. I'm trying to make a paycheck and it takes time and energy to create value in apps. We want to keep the cost of our app low, so we use in-app purchases when we add new features that not everyone wants to pay for. We already deal with the app being pirated and now we have the prospect of in-app purchases being stolen as well.
Why don't you get a life and actually try to improve upon your world instead of stealing from hard working developers who are trying to make a living?

I agree with you. However, I have a request:

Many of those games work fine without spending money for a few levels. Then, you get more and more things that require far more coins / jewels / rubies / stars / whatever than a person can reasonably obtain without spending money. After a while, the game is essentially unplayable without spending money.

As a good game which doesn't do that, look at Dragonvale. My daughter is at level 27 and hasn't spent a cent. Every thing in the game is obtainable without spending real money. It might take a while, but it can be done. That's a great feature. OTOH, look at the Tap games or Paradise Cove. It doesn't take too long before all of the challenges involve things that require far more jewels / stars / whatever then you could reasonably expect to achieve normally.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #23 of 68
Quote:
That's exactly the mindset.

"I can't afford it, so I'm entitled to download it for free. This can't be illegal."

That's the Fandriod mindset.
post #24 of 68
Quote:
Originally Posted by Radjin View Post


That's the Fandriod mindset.

Troll much?

post #25 of 68

The slime from Windows seems to be moving over to Apple. Sad world.

post #26 of 68
Quote:
Originally Posted by TheShepherd View Post

The slime from Windows seems to be moving over to Apple. Sad world.

Or slime to begin with. Internet allows you to be anyone you want to be with any morale spouting dung throwing buffoon
post #27 of 68
CSR is using practically robbery tactics anyway.

If you play the game you'll notice it too.

AI is literally 2 weeks late on any hacks used is CSR. A YouTube video had been posted of another method was pulled and I think it's posted else where now.
White Nexus 7 8GB
Black & Slate iPhone 5 32GB AT&T
Reply
White Nexus 7 8GB
Black & Slate iPhone 5 32GB AT&T
Reply
post #28 of 68
Quote:
Originally Posted by charlituna View Post


Short of catching them and putting them and the torrent etc site owners in jail for life, nothing
 

 

Really?  Put someone in jail for life for stealing a song?  Wow.  Michael Jackson's killer only got 5 years but the person who down loads his music should get life???

post #29 of 68
Quote:
Originally Posted by GregInPrague View Post



In the current climate I don't know how you can.  If the society can't agree whether truth is relative or not how can you say what is right or wrong?  When elected officials are consistently getting away with obvious corruption why should a teenager feel guilty about downloading a few movies?  In my opinion piracy won't diminish until either A) Laws are put into place with real teeth (they've tried and there's been huge backlash across Europe in the last year) or B) There's a significant spiritual change in the region.


or C, nothing.

 

http://www.zeropaid.com/wp-content/uploads/2011/02/mpaa.png

 

MPAA is making money hand over fist regardless of piracy.  People who want to steal will steal, those who want to buy will buy and that is evident by the continued growth for the MPAA and RIAA.  To put draconian laws into place for something that amounts to little more than petty theft is plain ignorant.

post #30 of 68
Quote:
Originally Posted by TheShepherd View Post

The slime from Windows seems to be moving over to Apple. Sad world.


Remember, thats 90% of the world.  Here is a stool, help you climb down off your high horse.

post #31 of 68
Quote:
Originally Posted by Tallest Skil View Post


Could get all ISPs to block all P2P.


Waste of time.  One gets blocked, 10 more pop up. 

post #32 of 68
Quote:
Originally Posted by CGJ View Post

 

You say that as though anyone who pirates movies is the scum of the earth. And to be honest, it's one of the lesser problems on the internet. Focus needs to be on serious offences, like paedophilia. Not downloading a movie that's already grossing hundreds of millions of dollars (or software from a multibillion company, like Apple, Microsoft or Adobe).

 

 

Impossible. Many services use P2P that aren't torrent sites.

Theft is a crime. Period.   I'm sure you were saying pedophilia, but as moral values continue to degrade, our society will return to the days of pedophilia being legal like it was is Greece.  It was not until Christianity became the official religion there that the practice was stopped.  

post #33 of 68
Quote:
Originally Posted by AppleInsider View Post

"I can see the Apple ID and password [of users who use the hack],"Borodin said. "But not the credit card information." It appears that Apple's system passes both bits of sensitive information to the Apple Store server in unencrypted plain text.
 

Even though this guy is publishing this data whether right or wrong, or whether his intentions are honorable or dishonorable; this shows that Apple isn't as cautious as it should be with peoples passwords or Apple IDs.

post #34 of 68
Quote:
Originally Posted by Hellacool View Post


Remember, thats 90% of the world.  Here is a stool, help you climb down off your high horse.

I wasn't inferring the users, I was noting that the hackers that have attacked Windows are now also trying to disrupt Apple.

post #35 of 68
Liberal art, eh?
post #36 of 68
Quote:
Originally Posted by jkichline View Post

As a developer, I'd like to address Alexey with this... I'm an app developer who is neither lazy nor greedy. I'm trying to make a paycheck and it takes time and energy to create value in apps. We want to keep the cost of our app low, so we use in-app purchases when we add new features that not everyone wants to pay for. We already deal with the app being pirated and now we have the prospect of in-app purchases being stolen as well.
Why don't you get a life and actually try to improve upon your world instead of stealing from hard working developers who are trying to make a living?

I very much understand you, but come on man the example that lad used in the video are pretty fucked up ones. 19.99 for some kind of points? That’s extortion.

Which of us is the fisherman and which the trout?

Reply

Which of us is the fisherman and which the trout?

Reply
post #37 of 68

Post count 36, and still no one is blaming Apple for allowing this loophole in their in-app purchase process.

 

I know I am, you can blame the hacker for actually showing and using this loophole, but all this does is show that the in-app purchase process is fundamentally flawed in the Apple implementation.

 

I know an app developer should use the additional verification of in-app purchases, but I don't understand why Apple allows user installed certificates to be used for the first validation.


Edited by mausz - 7/13/12 at 11:40pm
post #38 of 68
Quote:
Originally Posted by genovelle View Post

Theft is a crime. Period.   I'm sure you were saying pedophilia, but as moral values continue to degrade, our society will return to the days of pedophilia being legal like it was is Greece.  It was not until Christianity became the official religion there that the practice was stopped.  

Apparently it didn't stop, it moved into the churches instead...
post #39 of 68
Quote:
Originally Posted by mausz View Post

Post count 36, and still no one is blaming Apple for allowing this loophole in their in-app purchase process.

No, I think most of us realize it's ultimately Apple responsibility to plug this hole. But we can't have it both ways; we can't then turn around and cry foul on Apple for plugging a hole that lead to a jailbreak even if the jailbreak itself isn't an illegal action or used for nefarious purposes.
Quote:
I know I am, you can blame the hacker for actually showing and using this loophole, but all this does is show that the in-app purchase process is fundamentally flawed in the Apple implementation.

It shows a hole in in-app purchases, an issue with the process, but to say that in-app purchases are flawed in it's essential nature and being is just hyperbole. Do you say that Java or JavaScript or any other piece of software must be fundamentally flawed everytime a bug fix is issued thus proving there were bugs? Of course not.
Quote:
I know an app developer should use the additional verification of in-app purchases, but I don't understand why Apple allows user installed certificates to be used for the first validation.

Apple allows a lot of things I dislike when it comes to security and authentication. It's unfortunate, too, because people do tend to trust Apple more because Apple has been trustworthy with their customer base, but they really need to continue to put more effort into security. With 400+ million credit cards on file I hope we never hear about a hacker getting access to so much detail about users in plain text.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #40 of 68
Quote:
Originally Posted by Tallest Skil View Post


Could get all ISPs to block all P2P.

Could get all ISPs and government to decide what you can access, download, read on the internet. And if you think that all P2P are used only for illegal activity - you are wrong again.

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › Hack allows free access to in-app iOS purchases [u]