In-app purchasing exploit discovered for OS X apps
Coming on the heels of Apple's attempts to plug an iOS in-app purchasing exploit, the latest being a developer support document released on Friday, a similar workaround has reportedly been found for desktop programs running on OS X.
Discovered and implemented by the same Russian hacker who crafted the iOS in-app purchasing workaround, the so-called "In-Appstore for OS X" uses a similar receipt-spoofing method to bypass Apple's validation system to get paid content for free, reports The Next Web.
Alexey Borodin's newest exploit uses the same DNS server routing and receipt spoofing method outlined in previous reports to fool apps into validating dubious in-app purchases.
The system requires a user to install local certificates on their Mac and route purchases to a specially-created DNS server hosted by Borodin. The server, set up to be a replica of the Mac App Store, then sends back a spoofed receipt verification.
Screenshot of Borodin's "In-Appstore for OS X" exploit in action. | Source: The Next Web
According to Borodin some over 8.46 million transactions have been made with his spoofing method, though it is not clear if that number includes the new system targeting OS X. Apple has the option to push out a fix through Software Update and the Mac maker is on the verge of releasing its new OS X Mountain Lion with a host of security protocols including the Gatekeeper security system later in July.
On the same day of the OS X app hack's release, Apple sent out emails inviting iOS app developers to use the company's new protected receipt validation system to thwart last week's in-app purchasing exploit ahead of permanent solution expected in iOS 6.
Discovered and implemented by the same Russian hacker who crafted the iOS in-app purchasing workaround, the so-called "In-Appstore for OS X" uses a similar receipt-spoofing method to bypass Apple's validation system to get paid content for free, reports The Next Web.
Alexey Borodin's newest exploit uses the same DNS server routing and receipt spoofing method outlined in previous reports to fool apps into validating dubious in-app purchases.
The system requires a user to install local certificates on their Mac and route purchases to a specially-created DNS server hosted by Borodin. The server, set up to be a replica of the Mac App Store, then sends back a spoofed receipt verification.
Screenshot of Borodin's "In-Appstore for OS X" exploit in action. | Source: The Next Web
According to Borodin some over 8.46 million transactions have been made with his spoofing method, though it is not clear if that number includes the new system targeting OS X. Apple has the option to push out a fix through Software Update and the Mac maker is on the verge of releasing its new OS X Mountain Lion with a host of security protocols including the Gatekeeper security system later in July.
On the same day of the OS X app hack's release, Apple sent out emails inviting iOS app developers to use the company's new protected receipt validation system to thwart last week's in-app purchasing exploit ahead of permanent solution expected in iOS 6.
Comments
Hey, all right. Looks like we might get a 10.8 GM 2.
There are in-app purchases on OS X?
News to me... I should use the MAS more often.
I remember being so happy when I heard that the iron curtain was falling and Russia would finally be a free, democratic law-abiding society.
All that's come out of there since however is shit, crime, misogyny, pornography, and tacky jewellery. So sad.
No wonder it's the first place Assad's wife would think to flee to from Syria.
And the cat & mouse games begin. again and again...
Quote:
Originally Posted by Gazoobee
I remember being so happy when I heard that the iron curtain was falling and Russia would finally be a free, democratic law-abiding society.
All that's come out of there since however is shit, crime, misogyny, pornography, and tacky jewellery. So sad.
No wonder it's the first place Assad's wife would think to flee to from Syria.
I love all of the things you just claimed were bad
I guess it shows that Apple has been a bit lazy in its encryption/security of the in-app communication, particularly, back to its own servers.
Let them be found so that they may be closed.
It has often been said that companies should hire these hackers so they can make their products better.
If a shady looking van pulled up beside you in the street, would you hand over your house keys so they could give you a "free" paint job while you were out?
I wonder how many iTunes accounts this guy has harvested.
Quote:
Originally Posted by Eriamjh
I guess it shows that Apple has been a bit lazy in its encryption/security of the in-app communication, particularly, back to its own servers.
Let them be found so that they may be closed.
It has often been said that companies should hire these hackers so they can make their products better.
Exactly, and Apple should probably take a page out of Google's book and offer up a nice cash reward for those who identify these type of exploits. Instead, Apple's wall of silence and Mr. Double Down on Secrecy won't react until the exploit is out in the wild and they're being skewered by the tech media, humbled by the hackers, and than forced out of their cocoon of silence to do PR & damage control.
Quote:
Originally Posted by hill60
If a shady looking van pulled up beside you in the street, would you hand over your house keys so they could give you a "free" paint job while you were out?
I wonder how many iTunes accounts this guy has harvested.
I don't know about this latest embarrassment, but the hacker is not interested in peoples' itunes details. He changed the phone version so that people had to log out of itunes before running the process.
Quote:
Originally Posted by Gazoobee
I remember being so happy when I heard that the iron curtain was falling and Russia would finally be a free, democratic law-abiding society.
All that's come out of there since however is shit, crime, misogyny, pornography, and tacky jewellery. So sad.
No wonder it's the first place Assad's wife would think to flee to from Syria.
So what system would you have expected them to have adopted other than capitalism?
Quote:
Originally Posted by Gazoobee
I remember being so happy when I heard that the iron curtain was falling and Russia would finally be a free, democratic law-abiding society.
All that's come out of there since however is shit, crime, misogyny, pornography, and tacky jewellery. So sad.
No wonder it's the first place Assad's wife would think to flee to from Syria.
Some people would argue that the primary benefit of the fall of the Iron Curtain was that the Cold War ended before Russia or America nuked each other and started World War III.
But you're right, I think those people are failing to see the big picture here.
Russia's biggest export is bootlegging and section 8 immigrants.
Hopefully Apple will implement some way of blacklisting users and/or devices used to bypass payments for content like this, ideally locking them out the of not just the App Store but also triggering a self-destruct on the apps they've tried to steal so that they can't benefit from their blatant theft.
Who does this Russian guy think he's benefiting? Certainly not the app developers who are entitled to the compensation for their effort. If he and his like don't want to pay for something they shouldn't be allowed to keep hold of it. This Borodin guy disgusts me.