Monday, July 16, 2012

Apple tries unsuccessfully to block hackers in-app purchase exploit

Apple has taken steps to block the method used by Russian hacker Alexey V. Borodin to circumvent the iOS in-app purchase process.

Borodin's method works by sending purchase attempts to third-party servers where they are validated and returned to the application as if the transaction was completed. The method requires the device to be on a wi-fi network and to have its DNS server settings altered, but does not require jailbreaking.

Borodin originally published the hack using the handle ZonD80.

In an attempt to block the method, Apple took the following steps:
  • It blocked the IP address of the server used by Borodin to authenticate purchases.
  • It issued a copyright claim on the YouTube demo video.
  • It convinced the host of Borodin's original server, which was located in Russia, into dropping his service.
PayPal assisted as well, by placing a block on the account that Borodin was using for donations.

However, Borodin has managed to keep the service running. He moved his server to the an offshore country, where it might be safe. He's even improved on his method, saying that his protocol has been modified to "include its own authorisation and transaction processes." His new method “can and will not reach the App Store anymore, so the proxy (or caching) feature has been disabled.”

In addition, in order to use the "service," users must now first sign out from their iTunes account. He said he did this so that “[the users] don’t scream to the Internet that I am stealing their credentials.”

It's a cat-and-mouse game and eventually the cat (Apple) will win, but for now the mouse is enjoying itself. In fact, after Apple took down the original demo video, Borodin put up a new one (embedded).

No comments: