or Connect
AppleInsider › Forums › General › General Discussion › In-app purchasing exploit discovered for OS X apps
New Posts  All Forums:Forum Nav:

In-app purchasing exploit discovered for OS X apps

post #1 of 16
Thread Starter 
Coming on the heels of Apple's attempts to plug an iOS in-app purchasing exploit, the latest being a developer support document released on Friday, a similar workaround has reportedly been found for desktop programs running on OS X.

Discovered and implemented by the same Russian hacker who crafted the iOS in-app purchasing workaround, the so-called "In-Appstore for OS X" uses a similar receipt-spoofing method to bypass Apple's validation system to get paid content for free, reports The Next Web.

Alexey Borodin's newest exploit uses the same DNS server routing and receipt spoofing method outlined in previous reports to fool apps into validating dubious in-app purchases.

The system requires a user to install local certificates on their Mac and route purchases to a specially-created DNS server hosted by Borodin. The server, set up to be a replica of the Mac App Store, then sends back a spoofed receipt verification.

InAppstore
Screenshot of Borodin's "In-Appstore for OS X" exploit in action. | Source: The Next Web


According to Borodin some over 8.46 million transactions have been made with his spoofing method, though it is not clear if that number includes the new system targeting OS X. Apple has the option to push out a fix through Software Update and the Mac maker is on the verge of releasing its new OS X Mountain Lion with a host of security protocols including the Gatekeeper security system later in July.

On the same day of the OS X app hack's release, Apple sent out emails inviting iOS app developers to use the company's new protected receipt validation system to thwart last week's in-app purchasing exploit ahead of permanent solution expected in iOS 6.
post #2 of 16

Hey, all right. Looks like we might get a 10.8 GM 2.

post #3 of 16

There are in-app purchases on OS X?

 

News to me... I should use the MAS more often. 

post #4 of 16

I remember being so happy when I heard that the iron curtain was falling and Russia would finally be a free, democratic law-abiding society.  

 

All that's come out of there since however is shit, crime, misogyny, pornography, and tacky jewellery.  So sad.  

 

No wonder it's the first place Assad's wife would think to flee to from Syria. 

post #5 of 16
They'ed probably only have to update the Mac App Store Application itself. And I doubt it would require a new GM. A new Mountain Lion GM is not going to fix any thing on Snow Leopard or Lion.
post #6 of 16

And the cat & mouse games begin. again and again...

post #7 of 16
Quote:
Originally Posted by Gazoobee View Post

I remember being so happy when I heard that the iron curtain was falling and Russia would finally be a free, democratic law-abiding society.  

 

All that's come out of there since however is shit, crime, misogyny, pornography, and tacky jewellery.  So sad.  

 

No wonder it's the first place Assad's wife would think to flee to from Syria. 

I love all of the things you just claimed were bad

Groupthink is bad, mkay. Think Different is the motto.
Reply
Groupthink is bad, mkay. Think Different is the motto.
Reply
post #8 of 16

I guess it shows that Apple has been a bit lazy in its encryption/security of the in-app communication, particularly, back to its own servers.  

 

Let them be found so that they may be closed.

 

It has often been said that companies should hire these hackers so they can make their products better.  

post #9 of 16

If a shady looking van pulled up beside you in the street, would you hand over your house keys so they could give you a "free" paint job while you were out?

 

I wonder how many iTunes accounts this guy has harvested.

Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #10 of 16
Quote:
Originally Posted by Eriamjh View Post

I guess it shows that Apple has been a bit lazy in its encryption/security of the in-app communication, particularly, back to its own servers.  

 

Let them be found so that they may be closed.

 

It has often been said that companies should hire these hackers so they can make their products better.  

Exactly, and Apple should probably take a page out of Google's book and offer up a nice cash reward for those who identify these type of exploits.  Instead, Apple's wall of silence and Mr. Double Down on Secrecy won't react until the exploit is out in the wild and they're being skewered by the tech media, humbled by the hackers, and than forced out of their cocoon of silence to do PR & damage control.  

post #11 of 16
Quote:
Originally Posted by Gazoobee View Post

I remember being so happy when I heard that the iron curtain was falling and Russia would finally be a free, democratic law-abiding society.  

All that's come out of there since however is shit, crime, misogyny, pornography, and tacky jewellery.  So sad.  

No wonder it's the first place Assad's wife would think to flee to from Syria. 
Do you ever visited Russia or are your generalizations just gratuitous and conditioned?
post #12 of 16
Quote:
Originally Posted by hill60 View Post

If a shady looking van pulled up beside you in the street, would you hand over your house keys so they could give you a "free" paint job while you were out?

 

I wonder how many iTunes accounts this guy has harvested.

 I don't know about this latest embarrassment, but the hacker is not interested in peoples' itunes details. He changed the phone version so that people had to log out of itunes before running the process.

post #13 of 16
Quote:
Originally Posted by Gazoobee View Post

I remember being so happy when I heard that the iron curtain was falling and Russia would finally be a free, democratic law-abiding society.  

 

All that's come out of there since however is shit, crime, misogyny, pornography, and tacky jewellery.  So sad.  

 

No wonder it's the first place Assad's wife would think to flee to from Syria. 

 So what system would you have expected them to have adopted other than capitalism?

post #14 of 16
Quote:
Originally Posted by Gazoobee View Post

I remember being so happy when I heard that the iron curtain was falling and Russia would finally be a free, democratic law-abiding society.  

 

All that's come out of there since however is shit, crime, misogyny, pornography, and tacky jewellery.  So sad.  

 

No wonder it's the first place Assad's wife would think to flee to from Syria. 

 

Some people would argue that the primary benefit of the fall of the Iron Curtain was that the Cold War ended before Russia or America nuked each other and started World War III.

 

But you're right, I think those people are failing to see the big picture here.

"There's no chance that the iPhone is going to get any significant market share. No chance" - Steve Ballmer
Reply
"There's no chance that the iPhone is going to get any significant market share. No chance" - Steve Ballmer
Reply
post #15 of 16

Russia's biggest export is bootlegging and section 8 immigrants. 

post #16 of 16

Hopefully Apple will implement some way of blacklisting users and/or devices used to bypass payments for content like this, ideally locking them out the of not just the App Store but also triggering a self-destruct on the apps they've tried to steal so that they can't benefit from their blatant theft.

 

Who does this Russian guy think he's benefiting? Certainly not the app developers who are entitled to the compensation for their effort. If he and his like don't want to pay for something they shouldn't be allowed to keep hold of it. This Borodin guy disgusts me. 

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › In-app purchasing exploit discovered for OS X apps