Apple and app developers are still scrambling to fix a vulnerability in the popular iOS software that has allowed unscrupulous iPhone, iPad, iPod users to get in-app purchases for free. Forbes reports that the hacker responsible for exploiting the flaw and posting video instructions on YouTube has extended the hack to include app purchases from the Mac App Store.
Russian developer Alexey Borodin created a hack that relies on the fact that Apple does not link a specific purchase directly to a customer or a device. Borodin used this to create a server that emulated the Apple App Store server verification process so that a single purchased receipt could be used repeatedly. This meant that once a user bought the initial app, any in-app purchases (e.g. upgrades) could be downloaded for free.
“His circumvention technique relied on installing certificates (for a fake in-app purchase server and a custom DNS server), changing DNS settings to allow the authentication of “purchases,” and finally emulating the receipt verification server on the Apple App Store,” wrote tech columnist Emil Protalinski. “Affected iOS apps treat Borodin’s server as an official communication because of how Apple authenticates a purchase.”
Apple has been unable to plug the security hole, which does not even require the user to “jailbreak” their device, despite having tried for over a week. While unable to fix the larger problem, that it is possible to trick the App Store server into believing that fraudulent communications are legitimate, Apple has begun modifying its receipt structure to combat the issue.
Apple’s first attempts to solve the problem focused on taking down Borodin’s service rather than fix the underlining security issue. Apple blocked the IP address of Borodin’s server, but he moved to a server in a different country. They worked with PayPal to close the account Borodin was using to collect donations, so he switched to BitCoin. Apple had the YouTube video taken down due to a copyright claim, so Borodin started using ads on a website and uploaded a new video. Despite their efforts, the service remains functional.
Apple has now added a “unique identifier” field to receipts, and given developers tools so they could verify digital receipts on their own server. However, this only works if the developer runs the receipt through their server first. Apps that connect directly to the Apple App Store server are still vulnerable to the hack.
In an interview with The Next Web, Borodin stated that he wants Apple to fix the problem by changing its APIs or placing new blocks on its service. Borodin notes the fact that Apple has not come to him about the issue as being part of the reason he continues to play Cat and Mouse with Cupertino.
Users who use the hack are putting their own accounts at risk. Not just from an angry Apple, but from Borodin himself.
“I can see the Apple ID and password,” for accounts that try the hack, Borodin told Macworld. “But not the credit card information.” Borodin was “shocked” that passwords were passed in plain text and not encrypted. This is why the hack only works on Apple devices.
Apple has stated that the security flaw would be removed completely in iOS6, which is expected to be released later this year in preparation of the launch of the iPhone 5.