Apple blocks iOS in-app purchase fraud, hacker admits defeat
Apple (NASDAQ:AAPL) has successfully blocked an App Store hack that let iOS device owners make in-app purchases for free.
Russian developer Alexey Borodin designed the in-app purchase hack, which installed bogus certificates on iPhones and iPads in addition to exploiting a customized DNS server to essentially trick iOS apps into believing they're communicating with the App Store and validating user purchases. According to Borodin, "every in-app receipt is generic" and contains no direct user data, making transactions "easy to spoof." Borodin later extended the exploit to Apple's Mac OS X platform.
On Friday, Apple emailed registered iOS developers to explain the hack exploited vulnerabilities in iOS 5.1 and earlier. "An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker," Apple said. "Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker's server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid. iOS 6 will address this vulnerability."
Because consumers can continue exploiting the hack until iOS 6 is officially released later this year, Apple urged iOS developers to send all in-app purchase receipts to their personal servers for validation before sending them back to its App Store servers. The company also provided private APIs designed to help developers further safeguard their software against hacks.
Writing Monday on his In-Appstore blog, Borodin admitted defeat. "By examining [Apple's] statement about in-app purchases in iOS 6, I can say that currently game is over," he said. "Currently we have no way to bypass updated APIs." Borodin added he will continue to focus on Mac OS X, stating "We have some cards in the hand. It's good that OS X is open."
-read this Next Web article
Apple investigating App Store hack allowing free in-app purchases
Apple fixes DRM server behind App Store update glitch
App Store encryption glitch pushing corrupted iOS apps
Apple iOS developers report changes to App Store search results
Report: Apple renovating App Store to upgrade content discovery
Apple pledges to combat App Store fraud
Apple warns developers against manipulating App Store rankings