May 21, 2013 - 04:00 PM EDT — AAPL: 439.66 (-3.27, -0.74%) | NASDAQ: 3498.965 (+33.722, +0.97%)

Russian hacker strikes again with new ‘In-App Purchase’ exploit; ‘free’ Mac apps on OS X

Sunday, July 22, 2012 · 6:41 pm · 30 Comments

“Alexei Borodin, the same hacker who came up with the recent in-app purchase exploit that allowed free transactions for iOS users has struck again with a new method that allows users of Mac apps to do the same,” Matthew Panzarino reports for TNW. “The ‘In-Appstore for OS X’ service uses a method that’s very similar to that used on iOS devices to spoof transactions made to Apple’s servers.”

“After installing two local certificates, a user points their computer’s DNS settings at Borodin’s server and it pretends to be the Mac App Store, issuing verification of the purchase,” Panzarino reports. “It’s not incredibly simple, but it’s not all that hard either. This time there is a companion app called ‘Grim Receiper’ that must be run on the local machine to facilitate the process as well.”

Panzarino writes, “In-app purchasing is much more common in iOS apps than it is in Mac App Store apps, but any of this kind of theft is bad for the ecosystem and bad for developers. Here’s hoping that Apple enacts a swift fix on OS X as well as iOS.”

Read more in the full article here.

Categories: News

Tags: Alexei Borodin, crime, hacker, In-App Purchases, mac app store

Thank You for supporting MacDailyNews!

 Apple 13.3" MacBook Air dual-core Intel Core i7 2.0GHz, 8GB RAM, 512GB Flash Storage, Intel HD Graphics 4000, Mac OS X Lion (Z0ND-20GHZ8GB512) only $2,159.99
 Secret Sale Exclusive for MacMall Valued Customers Only
 Apple 15.4" MacBook Pro (with Retina display) quad-core Intel Core i7 2.3GHz/16GB RAM/256GB FS/IntelHD Graphics4000/OS X Lion (Z0MK-15-2.3-16-256RT) only $2,333.99
 Apple Blowouts: Up to $649 OFF on Last Gen Macs. Prices start at $1,999.99 w/ Free Upgrade to OS X Mountain Lion & Free FedEx Overnight ends 02/08 6:15PM PST.
 Apple 13.3" MacBook Pro dual-core Intel Core i7 2.9GHz, 8GB RAM, 750GB 5400-rpm hard drive, Intel HD Graphics 4000, Ships with Mountain Lion (MD102LL/A) only $1,419.97

Comment Feed

30 Comments

rfrmac

Sunday, July 22, 2012 - 7:02 pm · Reply

Sure these developers are all rich and they don’t need any money to continue their development. Yeah! you did it. Now go away.
mfd529

Sunday, July 22, 2012 - 7:12 pm · Reply

Only an idiot would trust another app to save 99 cents or more. Just imagine what secret back doors are tucked away inside the Grim Receiper. Credit card and banking loggers. Like Dirty Harry once said….. “Do you feel lucky punk?”
rp2010

Sunday, July 22, 2012 - 7:17 pm · Reply

Finding exploits and exposing them helps Apple in the long run. They are looking at expanding their OS presence, and this comes with the territory. Apple better start getting used to it, and to dedicating more resources at preventing them.

What doesn’t kill you makes you stronger.
- Kevin
  
  Monday, July 23, 2012 - 9:14 am · Reply
  
  True, but there is a better way of going about it than releasing it straight to the public. Granted we don’t know the whole story, but this smacks of someone enabling piracy more than helping Apple make their products better.
  - Kenrm
    
    Monday, July 23, 2012 - 11:28 am · Reply
    
    @Kevin
    
    I agree with you, this is more malicious then helpful.
silverhawk1

Sunday, July 22, 2012 - 7:27 pm · Reply

Are there not many unemployed KGB or spetznaz troopers who can assist with this problem?
UncleMacOSXR/T

Sunday, July 22, 2012 - 7:28 pm · Reply

I’m not that stupid nor desperate. Last year I wanted FCPX but not for the asking price. My 100% legal discounted method worked even though I didn’t get FCPX free I did manage to save about $100 bux by picking up several discounted iTune store gift cards over several months, mostly during the holiday shopping season.
castelbuono

Sunday, July 22, 2012 - 7:29 pm · Reply

Aside from trusting a Russian hacker, Apple will ultimately track down individuals using this or the IOS exploit.
- Derek Currie
  
  Monday, July 23, 2012 - 6:06 am · Reply
  
  Indeed. It won’t be difficult.
meerkatmac

Sunday, July 22, 2012 - 8:30 pm · Reply

At least one developer has taken matters into their own hands (see http://www.applgasm-apps.com/Blog/?p=681). It won’t be long before they all follow suit and lock this guy out.

I guess accepting donations for helping people steal from app developers isn’t illegal in Russia…? Hopefully he won’t be in business much longer.
MacFreek

Sunday, July 22, 2012 - 9:46 pm · Reply

When Alexei did it the first time it was shocking, but when he did it again it was simply embarrassing.
- Derek Currie
  
  Monday, July 23, 2012 - 6:05 am · Reply
  
  This is what hackers do. They point out security holes. I don’t mind at all.
  
  But ideally hackers give the developer of the victim system or application an opportunity to patch the hole before making it public. Alexei’s particular behavior verges into the ‘Black Hat’ hacker realm. But I’d call him ‘Grey Hat’ as he made the hack public instead of using it simply for personal profit.
Ubermac

Sunday, July 22, 2012 - 10:01 pm · Reply

This gives Apple a HUGE BACK EYE. I do hope the people at Apple get fired over this.

The law is also ridiculous. If I steal a pair of jeans in the store next door, I will get arrested. But if I hack into major companies stealing millions, I don’t.

The Russian hacker took down Amazon costing the company millions ate still free and have yet to appear in court.

What a F£€€#ick joke.
enzos

Sunday, July 22, 2012 - 10:04 pm · Reply

Obviously an outstandingly clever guy (since there must be thousands of other hackers have tried and failed). Apple should give Alexei a job (assimilate into the Borg). It might be what he’s cadging for.
- Ubermac
  
  Sunday, July 22, 2012 - 10:33 pm · Reply
  
  No he is not, it is a fairly simple hack.
  
  It is Apple that f€>#£cled this up in a big way.
  
  Developers should get together and sue Apple over the millions of dollars of losses, due to Apple’s incompetence.
  - Not again
    
    Monday, July 23, 2012 - 11:59 am · Reply
    
    Ubermac is up to his old Hate Apple B.S again.
    
    Don’t even try to explain anything to this Troll, it won’t work, that small hate filled brain won’t allow any intelligent thinking to make it in.
    
    Funny thing is this person never talks about all the hacks and cracks in the Android OS that have been allowing anyone to circumvent purchasing,and allows for rampead stealing.
    
    By Ubercrack’s view, Apple should get punished while Android hackers and thieves can still carrying on doing the same thing.
    
    Talk about hypocrisy!
    
    Oh and here is just one link out of many for Ubercrack’s delusional one track mind.
    
    Android DRM cracked… Anyone can install apps for free.
    
    http://androidappss.com/android-market/drm-crack-for-android-it-is-easy-to-pirate-android-apps/
    
    Don’t throw stones in glass houses, you might just be surprised what it does and the way it makes you look.
Ubermac

Sunday, July 22, 2012 - 10:29 pm · Reply

Apple will be the laughingstock in security for the next 10 years over this.

And deserving so!
- Derek Currie
  
  Monday, July 23, 2012 - 5:58 am · Reply
  
  No actually. The problem here is the inherent insecurity of Internet certificate system. This has been a consistent theme across the Internet for the last year and a half. Apple is only the latest victim, of many.
  
  What has to happen is a revision of the entire concept and set of standards for ‘Internet security’. Most of the current standards have been proven to be a farce. The result is that both customers and vendors on the Internet have had to implement clunky workarounds in order to obtain actual/factual Internet security. IOW: It’s a mess.
  - Derek Currie
    
    Monday, July 23, 2012 - 6:00 am · Reply
    
    Oh and BTW, anonymous coward ‘Ubermac’. Them’s trolling words. Try learning about computer security before you make yourself the laughing stock in security for the next blahblahblah…
    - Not again
      
      Monday, July 23, 2012 - 12:11 pm · Reply
      
      @Derek
      
      Ubermac is a troll, that poster has been around here about a month pushing his/her Hate for Apple, it happened after the Microsofts announcement began, or better known as the Microsoft Surface Comedy show.
      
      It doesn’t mater what you say, this one track mind of His/Hers is so far embedded, nothing you say is going to make them stop.
      
      Unermac is a Laugh Riot, seeing someone so delusional as to push as much nonsence as they can……. it’s a great sideshow!
      - Derek Currie
        
        Monday, July 23, 2012 - 5:31 pm · Reply
        
        I’ve always found troll trampling to be a golly good time. What would we do without them?
LewisITis

Sunday, July 22, 2012 - 11:58 pm · Reply

I’ll be damned. It worked!! Got 2 apps so far.
This so called hacker is probably a former or current Apple software engineer that’s just having fun with a backdoor he left in the app store code.
- dfgh
  
  Monday, July 23, 2012 - 3:10 am · Reply
  
  Congratulations, you thieving cheapskate scumbag.
- Here we go
  
  Monday, July 23, 2012 - 12:25 pm · Reply
  
  So you got (2) In-App purchases, Care to enlighten us as to what Mac Applications you added to?
  
  Se I have a very hard time believing you, you speak as if you have gotten (2) full free Applications, but since the Mac App Store has Very few Applications that have an Addon feature, I find it hard to believe you did.
  
  Oh and by the way, the exploit was stopped a few hours after the information became published.
  
  So Lewis, what Apps did you add to, better yet, what apps did you update that had the very little used in-app update, where you so crazy to open your whole system up to, by allowing this hacker to gain access to all your information, iTunes accounts, Passwords, ect…
  
  Just a heads up, don’t think Apple doesn’t know about thoes supposed in-app purchasers, since you can’t get full apps, what the hell is worth opening up your whole system to this hacker that admited he can see anyone’s information once the hit his servers.
  
  Talk about allot of Stupid!
Steve

Monday, July 23, 2012 - 1:11 am · Reply

As tempting as this is, I would not want to cheat the company and developers.

These exploits are both a bad ign and a good thing. They are a bad thing because you have wealth leaking. It is a good thing because these exploits point out certain pars of the system that need patching.

Still, I can imagine dozens of frustrated developers right now.
Nikonfoxx

Monday, July 23, 2012 - 7:37 am · Reply

Pirating songs, movies, and apps from companies that rape people financially is, to me, fair games, and I not only encourage it, but do it whenever I can…. But to pirate songs, movies and apps that are sold at fair prices ( such as found on iTunes) is a disgrace. It is like stealing money all the money from the change jar at a cash register…. It is petty and cowardly to steal from something set up to make fair business. Yes, stealing is stealing, but I sooner steal a CD or movie from a store that asks $20/cd, $40/dvd, $599 for an app because those chumps are nothing but thieves to begin with. iTunes’ prices are very fair, and honest… and yet profitable why? cuz its affordable!
What would Russia do if an American or a Canadian hacker played a number on a Russian company?
- schmluss
  
  Monday, July 23, 2012 - 8:10 am · Reply
  
  You are what is wrong with America. Stealing is stealing. The market sets the price, and if a product is priced too high, it will not sell. Who are you to judge if something is too expensive, or if a company is “raping” you?
- Not again
  
  Monday, July 23, 2012 - 12:55 pm · Reply
  
  With that attitude no wonder society is so ***ked up.
  
  It’s what’s the worst and shows up more in the last few generations, these young adults have shown a obvious entitlement psychology that is destroying everything they touch.
  
  Don’t get me wrong, I’m not singling everyone of those young adults in with the entitlement persona, But as we have seen throughout the course of history, it takes only a few to have a positive or enhance a negitive way of thinking, and it seems that the Negitive entitlement is the easiest way since it requires less Brain Power and skills to work for what you deserve then to take without any thought.
  
  With the attitude of steal from all these evil corporations, Then it’s ok for you to pay back all you Public School Education Costs or any Goverment help you may have gotten while you had been in a Private School.
  
  nikonfoxx, you didn’t learn a thing.
KarlV

Monday, July 23, 2012 - 10:52 am · Reply

I don’t really understand how this can be possible. If you can trick the App store like this with In-app purchases, why aren’t it p
KarlV

Monday, July 23, 2012 - 10:55 am · Reply

I don’t understand this att all. If its possible to trick the App store like this with in-app purchases. Why sent it not possible to trick it without? Since your credit card is charged for a purchase and a false one would not go through. Why is this in app ripp-off possible?