Russian hacker strikes again with new ‘In-App Purchase’ exploit; ‘free’ Mac apps on OS X

“Alexei Borodin, the same hacker who came up with the recent in-app purchase exploit that allowed free transactions for iOS users has struck again with a new method that allows users of Mac apps to do the same,” Matthew Panzarino reports for TNW. “The ‘In-Appstore for OS X’ service uses a method that’s very similar to that used on iOS devices to spoof transactions made to Apple’s servers.”

“After installing two local certificates, a user points their computer’s DNS settings at Borodin’s server and it pretends to be the Mac App Store, issuing verification of the purchase,” Panzarino reports. “It’s not incredibly simple, but it’s not all that hard either. This time there is a companion app called ‘Grim Receiper’ that must be run on the local machine to facilitate the process as well.”

Panzarino writes, “In-app purchasing is much more common in iOS apps than it is in Mac App Store apps, but any of this kind of theft is bad for the ecosystem and bad for developers. Here’s hoping that Apple enacts a swift fix on OS X as well as iOS.”

Read more in the full article here.

31 Comments

  1. Only an idiot would trust another app to save 99 cents or more. Just imagine what secret back doors are tucked away inside the Grim Receiper. Credit card and banking loggers. Like Dirty Harry once said….. “Do you feel lucky punk?”

  2. Finding exploits and exposing them helps Apple in the long run. They are looking at expanding their OS presence, and this comes with the territory. Apple better start getting used to it, and to dedicating more resources at preventing them.

    What doesn’t kill you makes you stronger.

    1. True, but there is a better way of going about it than releasing it straight to the public. Granted we don’t know the whole story, but this smacks of someone enabling piracy more than helping Apple make their products better.

  3. I’m not that stupid nor desperate. Last year I wanted FCPX but not for the asking price. My 100% legal discounted method worked even though I didn’t get FCPX free I did manage to save about $100 bux by picking up several discounted iTune store gift cards over several months, mostly during the holiday shopping season.

    1. This is what hackers do. They point out security holes. I don’t mind at all.

      But ideally hackers give the developer of the victim system or application an opportunity to patch the hole before making it public. Alexei’s particular behavior verges into the ‘Black Hat’ hacker realm. But I’d call him ‘Grey Hat’ as he made the hack public instead of using it simply for personal profit.

  4. This gives Apple a HUGE BACK EYE. I do hope the people at Apple get fired over this.

    The law is also ridiculous. If I steal a pair of jeans in the store next door, I will get arrested. But if I hack into major companies stealing millions, I don’t.

    The Russian hacker took down Amazon costing the company millions ate still free and have yet to appear in court.

    What a F£€€#ick joke.

  5. Obviously an outstandingly clever guy (since there must be thousands of other hackers have tried and failed). Apple should give Alexei a job (assimilate into the Borg). It might be what he’s cadging for.

    1. No he is not, it is a fairly simple hack.

      It is Apple that f€>#£cled this up in a big way.

      Developers should get together and sue Apple over the millions of dollars of losses, due to Apple’s incompetence.

      1. Ubermac is up to his old Hate Apple B.S again.

        Don’t even try to explain anything to this Troll, it won’t work, that small hate filled brain won’t allow any intelligent thinking to make it in.

        Funny thing is this person never talks about all the hacks and cracks in the Android OS that have been allowing anyone to circumvent purchasing,and allows for rampead stealing.

        By Ubercrack’s view, Apple should get punished while Android hackers and thieves can still carrying on doing the same thing.

        Talk about hypocrisy!

        Oh and here is just one link out of many for Ubercrack’s delusional one track mind.

        Android DRM cracked… Anyone can install apps for free.

        http://androidappss.com/android-market/drm-crack-for-android-it-is-easy-to-pirate-android-apps/

        Don’t throw stones in glass houses, you might just be surprised what it does and the way it makes you look.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.