In-app purchasing exploit discovered for OS X apps

Posted:
in General Discussion edited January 2014
Coming on the heels of Apple's attempts to plug an iOS in-app purchasing exploit, the latest being a developer support document released on Friday, a similar workaround has reportedly been found for desktop programs running on OS X.

Discovered and implemented by the same Russian hacker who crafted the iOS in-app purchasing workaround, the so-called "In-Appstore for OS X" uses a similar receipt-spoofing method to bypass Apple's validation system to get paid content for free, reports The Next Web.

Alexey Borodin's newest exploit uses the same DNS server routing and receipt spoofing method outlined in previous reports to fool apps into validating dubious in-app purchases.

The system requires a user to install local certificates on their Mac and route purchases to a specially-created DNS server hosted by Borodin. The server, set up to be a replica of the Mac App Store, then sends back a spoofed receipt verification.

InAppstore
Screenshot of Borodin's "In-Appstore for OS X" exploit in action. | Source: The Next Web


According to Borodin some over 8.46 million transactions have been made with his spoofing method, though it is not clear if that number includes the new system targeting OS X. Apple has the option to push out a fix through Software Update and the Mac maker is on the verge of releasing its new OS X Mountain Lion with a host of security protocols including the Gatekeeper security system later in July.

On the same day of the OS X app hack's release, Apple sent out emails inviting iOS app developers to use the company's new protected receipt validation system to thwart last week's in-app purchasing exploit ahead of permanent solution expected in iOS 6.

Comments

  • Reply 1 of 15
    tallest skiltallest skil Posts: 43,399member


    Hey, all right. Looks like we might get a 10.8 GM 2.

  • Reply 2 of 15


    There are in-app purchases on OS X?


     


    News to me... I should use the MAS more often. 

  • Reply 3 of 15
    gazoobeegazoobee Posts: 3,754member


    I remember being so happy when I heard that the iron curtain was falling and Russia would finally be a free, democratic law-abiding society.  


     


    All that's come out of there since however is shit, crime, misogyny, pornography, and tacky jewellery.  So sad.  


     


    No wonder it's the first place Assad's wife would think to flee to from Syria. 

  • Reply 4 of 15
    They'ed probably only have to update the Mac App Store Application itself. And I doubt it would require a new GM. A new Mountain Lion GM is not going to fix any thing on Snow Leopard or Lion.
  • Reply 5 of 15
    ljocampoljocampo Posts: 657member


    And the cat & mouse games begin. again and again...

  • Reply 6 of 15

    Quote:

    Originally Posted by Gazoobee View Post


    I remember being so happy when I heard that the iron curtain was falling and Russia would finally be a free, democratic law-abiding society.  


     


    All that's come out of there since however is shit, crime, misogyny, pornography, and tacky jewellery.  So sad.  


     


    No wonder it's the first place Assad's wife would think to flee to from Syria. 



    I love all of the things you just claimed were bad

  • Reply 7 of 15
    eriamjheriamjh Posts: 1,340member


    I guess it shows that Apple has been a bit lazy in its encryption/security of the in-app communication, particularly, back to its own servers.  


     


    Let them be found so that they may be closed.


     


    It has often been said that companies should hire these hackers so they can make their products better.  

  • Reply 8 of 15
    hill60hill60 Posts: 6,992member


    If a shady looking van pulled up beside you in the street, would you hand over your house keys so they could give you a "free" paint job while you were out?


     


    I wonder how many iTunes accounts this guy has harvested.

  • Reply 9 of 15
    markbyrnmarkbyrn Posts: 646member

    Quote:

    Originally Posted by Eriamjh View Post


    I guess it shows that Apple has been a bit lazy in its encryption/security of the in-app communication, particularly, back to its own servers.  


     


    Let them be found so that they may be closed.


     


    It has often been said that companies should hire these hackers so they can make their products better.  



    Exactly, and Apple should probably take a page out of Google's book and offer up a nice cash reward for those who identify these type of exploits.  Instead, Apple's wall of silence and Mr. Double Down on Secrecy won't react until the exploit is out in the wild and they're being skewered by the tech media, humbled by the hackers, and than forced out of their cocoon of silence to do PR & damage control.  

  • Reply 10 of 15
    sensisensi Posts: 346member
    gazoobee wrote: »
    I remember being so happy when I heard that the iron curtain was falling and Russia would finally be a free, democratic law-abiding society.  

    All that's come out of there since however is shit, crime, misogyny, pornography, and tacky jewellery.  So sad.  

    No wonder it's the first place Assad's wife would think to flee to from Syria. 
    Do you ever visited Russia or are your generalizations just gratuitous and conditioned?
  • Reply 11 of 15
    hungoverhungover Posts: 603member

    Quote:

    Originally Posted by hill60 View Post


    If a shady looking van pulled up beside you in the street, would you hand over your house keys so they could give you a "free" paint job while you were out?


     


    I wonder how many iTunes accounts this guy has harvested.



     I don't know about this latest embarrassment, but the hacker is not interested in peoples' itunes details. He changed the phone version so that people had to log out of itunes before running the process.

  • Reply 12 of 15
    hungoverhungover Posts: 603member

    Quote:

    Originally Posted by Gazoobee View Post


    I remember being so happy when I heard that the iron curtain was falling and Russia would finally be a free, democratic law-abiding society.  


     


    All that's come out of there since however is shit, crime, misogyny, pornography, and tacky jewellery.  So sad.  


     


    No wonder it's the first place Assad's wife would think to flee to from Syria. 



     So what system would you have expected them to have adopted other than capitalism?

  • Reply 13 of 15
    socratessocrates Posts: 261member

    Quote:

    Originally Posted by Gazoobee View Post


    I remember being so happy when I heard that the iron curtain was falling and Russia would finally be a free, democratic law-abiding society.  


     


    All that's come out of there since however is shit, crime, misogyny, pornography, and tacky jewellery.  So sad.  


     


    No wonder it's the first place Assad's wife would think to flee to from Syria. 



     


    Some people would argue that the primary benefit of the fall of the Iron Curtain was that the Cold War ended before Russia or America nuked each other and started World War III.


     


    But you're right, I think those people are failing to see the big picture here.

  • Reply 14 of 15
    tyler82tyler82 Posts: 969member


    Russia's biggest export is bootlegging and section 8 immigrants. 

  • Reply 15 of 15


    Hopefully Apple will implement some way of blacklisting users and/or devices used to bypass payments for content like this, ideally locking them out the of not just the App Store but also triggering a self-destruct on the apps they've tried to steal so that they can't benefit from their blatant theft.


     


    Who does this Russian guy think he's benefiting? Certainly not the app developers who are entitled to the compensation for their effort. If he and his like don't want to pay for something they shouldn't be allowed to keep hold of it. This Borodin guy disgusts me. 

Sign In or Register to comment.