Friday, July 20, 2012

Hacker expands in-app purchase hack from iOS to Mac OS X

On the same day that Apple announced that a fix for the in-app purchasing hack exploited by Russian hacker Alexey V. Borodin would be coming - but not until iOS 6 - Borodin launched a new attack on Apple in-app purchases, this time on Mac OS X.

Apple said a full fix for the hack, which allows users to "complete" in-app purchases without really paying, would not be available until iOS 6. At the same time, it detailed a workaround to developers. Apple sent developers an email including a link to a webpage containing detailed methodology through which they could ensure that Borodin's method wasn't leeching their revenue.

Simplistically, Borodin's method works by redirecting requests to Apple's servers to his own, where he can issue bogus purchase completion notifications back to the app. It's a little more complex than that, including modifying DNS settings on the device, which must also be attached to a wi-fi network, but that's it in a nutshell. iOS 6 will, Apple said, completely fix the issue.

However, Borodin has expanded the war by moving on to Mac OS X. The "In-Appstore for OS X" service that he is now running uses a method that is very similar to that used in his prior iOS hack to spoof completed transactions.

For Mac OS X, there is a companion app called "Grim Receiper" that must be run on the local machine. Aside from that, it's nearly identical to the iOS method. After installing two local certificates, an end user modifies their DNS settings to point to Borodin's server which pretends to be the Mac App Store, and issues "validation" of the purchase.

If you're wondering how many people have taken advantage of Borodin's method, the answer is millions. Or rather, there have been millions of fake transactions recorded, accoding to the hacker. He says about 8.46 million fake transactions have been made with his hack, meaning that developers - as well as Apple - have lost considerable revenue.

It's clear from the stats, if they are correct, that human nature being what it is, it's hard for people to pass up a freebie, despite the fact that it hurts the developers - who can probably ill afford it - more than Apple, who probably can.

No comments: