“After installing two local certificates, a user points their computer’s DNS settings at Borodin’s server and it pretends to be the Mac App Store, issuing verification of the purchase,” Panzarino reports. “It’s not incredibly simple, but it’s not all that hard either. This time there is a companion app called ‘Grim Receiper’ that must be run on the local machine to facilitate the process as well.”
Panzarino writes, “In-app purchasing is much more common in iOS apps than it is in Mac App Store apps, but any of this kind of theft is bad for the ecosystem and bad for developers. Here’s hoping that Apple enacts a swift fix on OS X as well as iOS.”
Read more in the full article here.