“On Friday, we broke the news on some worrying tips we received about an ‘in-app proxy’ hack that allowed even novice users to illegally install paid in-app purchase content for free. In updates to our original story, we noted the hack’s developer, Alexey V. Borodin, said in an interview that Apple’s method of validating receipts for developers would not protect apps from the hack,” Jordan Kahn reports for 9to5Mac. “Apple followed up with a statement that claimed it is investigating the issue. Today, we get an update from The Next Web that further claims Apple began taking action over the weekend: ‘Over the weekend, Apple began blocking the IP address of the server used by Russian hacker Alexey V. Borodin to authenticate purchases.'”
“It followed this up with a takedown request on the original server, taking down third-party authentication with it, also issuing a copyright claim on the overview video Borodin used to document the circumvention method. PayPal also got involved, placing a block on the original donation account for violating its terms of service,” Kahn reports. “Unfortunately, the service is reportedly still operational with Borodin apparently moving the server to a location outside of Russia.”
Read more in the full article here.
[Thanks to MacDailyNews Reader “Brawndo Drinker” for the heads up.]
Related article:
Apple iOS in-app purchases hacked; allows users to download anything for free – July 13, 2012
I was okay with him releasing this information as a POC to expose the vulnerability, but him now moving to a different server IP to keep it working means that he is just a criminal. I’d expect that Mr. Borodin is going to end up finding himself in some trouble.
I agree, he needs to be treated as a criminal hacker and this is a crime now, not a vulnerability demonstration.
Guess this indicates Apple may not hire Alexey, as he boasted
Sounds as tho in app purchase requests need to be re routed to his server. Correct me if I’m wrong on this. If so I’m guessing he is harvesting as he goes. If that is true anyone who takes advantage of this is likely due for a surprise.
This is where developers get to discover the value of living in Apple’s gated community. It seems Apple is moving fast and aggressively. I hope the developers see and appreciate the acts to protect their revenue stream.
Yes, anyone using this is an idiot, as they are being proxy’d through his server.
There is also a good possibility that he is also harvesting all of their internet activity as well – since you are relaying through him, he could intercept any traffic intended for any website.
He has a DNS server now in the Netherlands, apparently a hacker haven.
Apple should have a Denial of Service setup that can take down any such server the moment it raises it’s head.