Russian hacker battles with Apple to keep in-app purchase exploit alive

App Store Hack

A Russian hacker named Alexey Borodin recently introduced a program that allowed users to steal in-app purchases from a number of popular apps on Apple’s (AAPL) App Store. It was rather simple to use and only required users to install two security certificates, and change the DNS settings on their devices. The hack worked by placing Borodin’s server in between the device and Apple’s server, where it would intercept incoming purchase requests from the device, WA Today reported. Apple responded by getting the first instructional video removed from YouTube on copyright grounds, although it was quickly replaced with a second video that is still available. The Cupertino-based company also blocked the IP address of the server used by Borodin, convinced the Russian Web host to shut down the service and even worked with PayPal to prevent him from receiving donations.

The hacker has now responded by moving to a new server that is seemingly out of Apple’s reach, and he is now accepting donations through the anonymous service Bitcoin.

Borodin notes that more than 30,000 people have used the exploit and it has become so big that he can no longer pay for the bandwidth required to run it, which is why he is accepting donations. The hacker has even tightened up the exploit so that it no longer interacts with the App Store, making it even harder for Apple to shut down. The hack doesn’t work with all apps, however, only apps that use Apple’s server to validate receipts. As of Apple’s most recent iOS release, iOS 6 developer beta 3, the exploit is still functional.

Read

blog comments powered by Disqus