Mac App Store In App Purchase Hack

Posted on by

Another good point about this iOS hack: do people realise the Russian guy could steal their bank accounts?

— Alastair Houghton (@al45tair) July 16, 2012

Jul 21, 2012  Now the hacker has worked his magic on the Mac App Store as well, bringing the in-app purchasing hack to Mac OS X. According to Borodin, his iOS in-app purchasing exploit has been used for over 8.5 million free purchases in the App Store. This is a huge setback for Apple and the developers, and now it’s happening in the Mac App Store as well. May 20, 2020  Scroll the list until you find the app/game you want to hack in-app purchases and then tap on the app name to open the menu. To show you how it actually works, here we are hacking Collage+ app. From the list of options, tap on the “Open Menu of Patches” button. Tap on the “Support patch for InApp and LVL emulation”. Apr 30, 2020  In-app purchases are extra content or subscriptions that you buy inside an app. Not all apps offer in-app purchases. To check if an app offers in-app purchases before you buy or download it, find it in the App Store. Then look for 'In-App Purchases' near the app's price or Get button. There are three types of in-app purchases—subscriptions.

On Friday, we broke the news on some worrying tips we received about an “in-app proxy” hack that allowed even novice users to illegally install paid in-app purchase content for free. In updates to our original story, we noted the hack’s developer, Alexey V. Borodin, said in an interview that Apple’s method of validating receipts for developers would not protect apps from the hack. Apple followed up with a statement that claimed it is investigating the issue. Today, we get an update from The Next Webthat further claims Apple began taking action over the weekend:

Over the weekend, Apple began blocking the IP address of the server used by Russian hacker Alexey V. Borodin to authenticate purchases.

Apple Mac App Store App

It followed this up with a takedown request on the original server, taking down third-party authentication with it, also issuing a copyright claim on the overview video Borodin used to document the circumvention method. PayPal also got involved, placing a block on the original donation account for violating its terms of service

Unfortunately, the service is reportedly still operational with Borodin apparently moving the server to a location outside of Russia. He told The Next Web thatthe new service has been “updated and cuts out Apple’s servers, ‘improving’ the protocol to include its own authorisation and transaction processes. The new method ‘can and will not reach the App Store anymore, so the proxy (or caching) feature has been disabled'”

Couldn’t this iOS in-app purchasing hack be avoided by checking the certificate fingerprint against Apple’s? (Answer: yes, it could.)

Mac App Store Online

— Alastair Houghton (@al45tair) July 16, 2012

While Borodin also claimed he has changed the process to force users to sign out of their iTunes account (to ensure users he is not stealing personal/credit card data), there are more than a few reasons to still be concerned. Developer Alastair Houghton told us that he thinks Borodin’s method could be used “intercept traffic intended for any other secure website”:

the method that Mr. Borodin is using to circumvent Apple’s receipt verification system would also, if he so wished, allow him to intercept traffic intended for any other secure website, including notably bank websites. Moreover, there would be no indication on a device configured to trust his certificate and use his DNS server that anything was wrong. If you want to end up with an empty bank account, following instructions of this kind that result in your DNS and certificate trust being under the control of an untrustworthy third party is a *really* good way to go about it.

Although Apple’s process of validating receipts would not necessarily protect developers, Houghton offered up a solution for devs while Apple works out a more permanent fix:

developers can use Apple’s verification server without being vulnerable to Borodin’s method simply by checking that the certificates being used by the Apple server are the ones that they expect.This is easy enough to do by examining the certificate fingerprints, and is probably being done in some of the applications that he says don’t work with his hack.

Borodin told TNW that Apple has not contacted him, but it is clear the company is aware of the issue and working on a solution. We, of course, highly recommend avoiding the service and anything connected to Borodin.

Apps For Mac

The

FTC: We use income earning auto affiliate links.More.