or Connect
AppleInsider › Forums › General › General Discussion › In-app hack creator admits defeat, says 'it's all over?for now'
New Posts  All Forums:Forum Nav:

In-app hack creator admits defeat, says 'it's all over?for now'

post #1 of 13
Thread Starter 
The Russian hacker responsible for discovering a system to sidestep paying for in-app purchases confirmed on Monday that Apple's newly-instituted receipt validation system is effective.

In a blog post on his website on Monday titled "It's all over?for now," Alexey Borodin said there is no way to bypass the new APIs Apple rolled out late last week as a quick fix for the revenue-stealing exploit made public earlier in July, reports The Mac Observer.

Word of the exploit, which validated fraudulent purchases by routing them through a specialized DNS server which spoofed digital receipts, first came a little over a week ago. Apple responded by blocking the IP addresses associated with Borodin's workaround and attempting to shut down the DNS servers hosting the dubious receipt validations.

The iPhone maker announced a temporary solution to plug the hole days later and announced that a permanent fix would be present in the upcoming iOS 6 mobile operating system.

App Hack
Screenshot of Borodin's iOS in-app purchase workaround in action.


From Borodin's Monday blog post:

Hello everyone.
By examining last apple's statement about in-app purchases in iOS 6, I can say, that currently game is over. Currently we have no way to bypass updated APIs. It's a good news for everyone, we have updated security in iOS, developers have their air-money.
But, service will still remain operational until iOS 6 comes out.

The another thing is for in-appstore for OS X. We still waiting for apple's reaction and we have some cards in the hand. It's good that OS X is open.


Apple's solution leverages receipts which carry a "unique identifier" to validate in-app purchases. The previous system merely generated generic receipts with no specific user data attached, thus allowing for easily spoofed validations. It remains unclear what type of unique identifier is being used, though some have speculated it could be a proprietary system based on UDID data.

An email regarding the security changes was issued last Friday which asked developers to take necessary precautions listed on a special support page. As part of the fix content makers were given access to two private Apple APIs for the express purpose of validating in-app purchases with Apple's new system.

Most recently, Borodin created a workaround for in-app purchasing in
post #2 of 13

Oi! How do you say, 'screw you' in Russian? This guy wants our sympathy, he can forget it.

 

On a related note…

post #3 of 13
The guy wanted some fame and hopefully a few usable credit card numbers. He got at least one of them.

As for the pat he's giving himself, the fix has been there for a while if developers wanted to use it so all he did was kick a few of the lazier ones in the ass. He really didn't cause some major OS change like he wants folks to think. The stuff in ios 6 was triggered by the jailbreak not him

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #4 of 13

It's amazing that people would give their account details to some Russian website/hacker in order to save 99 cents here and there.  Why certainly! And why aren't those users on Android?

post #5 of 13

It's still quite shocking that Apple isn't properly fixing this for another few months. The exploit is only fixed if developers put the effort in and update their own apps, because of a flaw in Apple's own software.

 

We all remember the DigiNotar mess - Apple took weeks to fix that as well. And last week Adobe suffered the same pain as all the iOS developers when their software stopped working because of a change Apple had made.

post #6 of 13
Quote:
Originally Posted by neiltc13 View Post

It's still quite shocking that Apple isn't properly fixing this for another few months. The exploit is only fixed if developers put the effort in and update their own apps, because of a flaw in Apple's own software.

 

 

 

Most apps are not affected by this because they don't  use the IAP system. Even in those that do many are not affected because they used the previously built in checks system that has been around for a while. 

 

This issue won't affect any users unless they use it and if they are that greedy and or were that stupid and greedy that's not Apple's fault. If developers are so lazy that they won't do that is perhaps a few hours work to add the change (which Apple spells out in detail) that's not Apple's fault. Nor is it a 'flaw' that Apple attempted to trust the developers and users to be good honest folks. Well actually it is a flaw but not in the software, the flaw is that Apple ever had that belief. 

 

As for the Adobe comment, most of the time that software stops working due to a change, that change was broadcast to folks ahead of time so it's not Apple's fault that someone didn't keep up. This is true of this issue given that Apple released a beta of the 10.7.4 update to the developers in advance. If Adobe's people had been doing their jobs they would have seen the change and updated appropriately. They weren't and they didn't. 


Edited by charlituna - 7/23/12 at 3:58pm

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #7 of 13
Quote:
Originally Posted by neiltc13 View Post

The exploit is only fixed if developers put the effort in and update their own apps, because of a flaw in Apple's own software.

 

 

Mr Borodin is coming across as an utter jerk in the way he has handled this issue.

 

And I must admit to being quite disappointed by the number of big name iOS developers who still don't appear to have taken the effort to have updated their apps to include Retina display support, four months after the debut of the new iPad.

 

Yeah, Adobe, I'm looking at you.

 

And to think graphics are part of their core business.

 

It will be interesting to see how many react quickly to protect their potential income instead.

I always appreciate an Android fan who puts his energy into advertising Apple products.
Reply
I always appreciate an Android fan who puts his energy into advertising Apple products.
Reply
post #8 of 13
Quote:
Originally Posted by neiltc13 View Post

It's still quite shocking that Apple isn't properly fixing this for another few months. The exploit is only fixed if developers put the effort in and update their own apps, because of a flaw in Apple's own software.

 

We all remember the DigiNotar mess - Apple took weeks to fix that as well. And last week Adobe suffered the same pain as all the iOS developers when their software stopped working because of a change Apple had made.

Oh I don't take the same take as you. It seems to me that every exploit that Apple has learned of has been taken seriously and has eventually been corrected. They have a pretty good track record that way. Just because they don't make knee jerk decisions and quickly throw out some messy code fix, doesn't mean that Apple isn't fixing the flaw. They take a little more time, but do it right. I'm just sayin'.

 

There are other Operating System companies out there that don't handle exploits nearly as quickly or efficiently as Apple. They shall remain nameless, you can figure it out.

post #9 of 13
Quote:
Originally Posted by SixnaHalfFeet View Post
There are other Operating System companies out there that don't handle exploits nearly as quickly or efficiently as Apple. They shall remain nameless, you can figure it out.

 

But… patch Tuesdays… 

post #10 of 13
Quote:
Originally Posted by Tallest Skil View Post

 

But… patch Tuesdays… 

Don't forget "Exploit Wednesdays"! 

Samsung Galaxy series: Faster on a benchmark, not in your hand.

Reply

Samsung Galaxy series: Faster on a benchmark, not in your hand.

Reply
post #11 of 13
Quote:
Originally Posted by carmelapple View Post

Don't forget "Exploit Wednesdays"! 

Or RIM's layoff Thursday's jested on the nyt and wsj.
post #12 of 13
Quote:
Originally Posted by mrstep View Post

It's amazing that people would give their account details to some Russian website/hacker in order to save 99 cents here and there.  Why certainly! And why aren't those users on Android?


Obviously because they're sleazy Apple fans not capable of using real slick phones?
Really, that kind of pseudo-question is ridiculously lame... I do agree with you on the "giving account details to a russian website" part...

 

 

Quote:
Originally Posted by Tallest Skil View Post

Oi! How do you say, 'screw you' in Russian? This guy wants our sympathy, he can forget it.

 

Well, I won't judge given I don't have any idea who he is, but isn't exposing hidden issues a good thing? I mean, people seem to have abused that loophole silently to steal revenue from developers, and now that Borodin has caused that ruckus, money flows back to the hard-working ones, no?

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply
post #13 of 13
Quote:
Originally Posted by lightknight View Post

…isn't exposing hidden issues a good thing?

 

And I'd be praising him if that had been his actual intent.

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › In-app hack creator admits defeat, says 'it's all over?for now'