“Alexei Borodin, the same hacker who came up with the recent in-app purchase exploit that allowed free transactions for iOS users has struck again with a new method that allows users of Mac apps to do the same,” Matthew Panzarino reports for TNW. “The ‘In-Appstore for OS X’ service uses a method that’s very similar to that used on iOS devices to spoof transactions made to Apple’s servers.”
“After installing two local certificates, a user points their computer’s DNS settings at Borodin’s server and it pretends to be the Mac App Store, issuing verification of the purchase,” Panzarino reports. “It’s not incredibly simple, but it’s not all that hard either. This time there is a companion app called ‘Grim Receiper’ that must be run on the local machine to facilitate the process as well.”
Panzarino writes, “In-app purchasing is much more common in iOS apps than it is in Mac App Store apps, but any of this kind of theft is bad for the ecosystem and bad for developers. Here’s hoping that Apple enacts a swift fix on OS X as well as iOS.”
Read more in the full article here.
Sure these developers are all rich and they don’t need any money to continue their development. Yeah! you did it. Now go away.
Only an idiot would trust another app to save 99 cents or more. Just imagine what secret back doors are tucked away inside the Grim Receiper. Credit card and banking loggers. Like Dirty Harry once said….. “Do you feel lucky punk?”
Finding exploits and exposing them helps Apple in the long run. They are looking at expanding their OS presence, and this comes with the territory. Apple better start getting used to it, and to dedicating more resources at preventing them.
What doesn’t kill you makes you stronger.
True, but there is a better way of going about it than releasing it straight to the public. Granted we don’t know the whole story, but this smacks of someone enabling piracy more than helping Apple make their products better.
@Kevin
I agree with you, this is more malicious then helpful.
Are there not many unemployed KGB or spetznaz troopers who can assist with this problem?
I’m not that stupid nor desperate. Last year I wanted FCPX but not for the asking price. My 100% legal discounted method worked even though I didn’t get FCPX free I did manage to save about $100 bux by picking up several discounted iTune store gift cards over several months, mostly during the holiday shopping season.
Aside from trusting a Russian hacker, Apple will ultimately track down individuals using this or the IOS exploit.
Indeed. It won’t be difficult.
At least one developer has taken matters into their own hands (see http://www.applgasm-apps.com/Blog/?p=681). It won’t be long before they all follow suit and lock this guy out.
I guess accepting donations for helping people steal from app developers isn’t illegal in Russia…? Hopefully he won’t be in business much longer.
When Alexei did it the first time it was shocking, but when he did it again it was simply embarrassing.
This is what hackers do. They point out security holes. I don’t mind at all.
But ideally hackers give the developer of the victim system or application an opportunity to patch the hole before making it public. Alexei’s particular behavior verges into the ‘Black Hat’ hacker realm. But I’d call him ‘Grey Hat’ as he made the hack public instead of using it simply for personal profit.
This gives Apple a HUGE BACK EYE. I do hope the people at Apple get fired over this.
The law is also ridiculous. If I steal a pair of jeans in the store next door, I will get arrested. But if I hack into major companies stealing millions, I don’t.
The Russian hacker took down Amazon costing the company millions ate still free and have yet to appear in court.
What a F£€€#ick joke.
Obviously an outstandingly clever guy (since there must be thousands of other hackers have tried and failed). Apple should give Alexei a job (assimilate into the Borg). It might be what he’s cadging for.
No he is not, it is a fairly simple hack.
It is Apple that f€>#£cled this up in a big way.
Developers should get together and sue Apple over the millions of dollars of losses, due to Apple’s incompetence.
Ubermac is up to his old Hate Apple B.S again.
Don’t even try to explain anything to this Troll, it won’t work, that small hate filled brain won’t allow any intelligent thinking to make it in.
Funny thing is this person never talks about all the hacks and cracks in the Android OS that have been allowing anyone to circumvent purchasing,and allows for rampead stealing.
By Ubercrack’s view, Apple should get punished while Android hackers and thieves can still carrying on doing the same thing.
Talk about hypocrisy!
Oh and here is just one link out of many for Ubercrack’s delusional one track mind.
Android DRM cracked… Anyone can install apps for free.
http://androidappss.com/android-market/drm-crack-for-android-it-is-easy-to-pirate-android-apps/
Don’t throw stones in glass houses, you might just be surprised what it does and the way it makes you look.
Apple will be the laughingstock in security for the next 10 years over this.
And deserving so!
No actually. The problem here is the inherent insecurity of Internet certificate system. This has been a consistent theme across the Internet for the last year and a half. Apple is only the latest victim, of many.
What has to happen is a revision of the entire concept and set of standards for ‘Internet security’. Most of the current standards have been proven to be a farce. The result is that both customers and vendors on the Internet have had to implement clunky workarounds in order to obtain actual/factual Internet security. IOW: It’s a mess.
Oh and BTW, anonymous coward ‘Ubermac’. Them’s trolling words. Try learning about computer security before you make yourself the laughing stock in security for the next blahblahblah…
@Derek
Ubermac is a troll, that poster has been around here about a month pushing his/her Hate for Apple, it happened after the Microsofts announcement began, or better known as the Microsoft Surface Comedy show.
It doesn’t mater what you say, this one track mind of His/Hers is so far embedded, nothing you say is going to make them stop.
Unermac is a Laugh Riot, seeing someone so delusional as to push as much nonsence as they can……. it’s a great sideshow! 🙂
I’ve always found troll trampling to be a golly good time. What would we do without them? 😆
I’ll be damned. It worked!! Got 2 apps so far.
This so called hacker is probably a former or current Apple software engineer that’s just having fun with a backdoor he left in the app store code.
Congratulations, you thieving cheapskate scumbag.
So you got (2) In-App purchases, Care to enlighten us as to what Mac Applications you added to?
Se I have a very hard time believing you, you speak as if you have gotten (2) full free Applications, but since the Mac App Store has Very few Applications that have an Addon feature, I find it hard to believe you did.
Oh and by the way, the exploit was stopped a few hours after the information became published.
So Lewis, what Apps did you add to, better yet, what apps did you update that had the very little used in-app update, where you so crazy to open your whole system up to, by allowing this hacker to gain access to all your information, iTunes accounts, Passwords, ect…
Just a heads up, don’t think Apple doesn’t know about thoes supposed in-app purchasers, since you can’t get full apps, what the hell is worth opening up your whole system to this hacker that admited he can see anyone’s information once the hit his servers.
Talk about allot of Stupid!
As tempting as this is, I would not want to cheat the company and developers.
These exploits are both a bad ign and a good thing. They are a bad thing because you have wealth leaking. It is a good thing because these exploits point out certain pars of the system that need patching.
Still, I can imagine dozens of frustrated developers right now.
Pirating songs, movies, and apps from companies that rape people financially is, to me, fair games, and I not only encourage it, but do it whenever I can…. But to pirate songs, movies and apps that are sold at fair prices ( such as found on iTunes) is a disgrace. It is like stealing money all the money from the change jar at a cash register…. It is petty and cowardly to steal from something set up to make fair business. Yes, stealing is stealing, but I sooner steal a CD or movie from a store that asks $20/cd, $40/dvd, $599 for an app because those chumps are nothing but thieves to begin with. iTunes’ prices are very fair, and honest… and yet profitable why? cuz its affordable!
What would Russia do if an American or a Canadian hacker played a number on a Russian company?
You are what is wrong with America. Stealing is stealing. The market sets the price, and if a product is priced too high, it will not sell. Who are you to judge if something is too expensive, or if a company is “raping” you?
With that attitude no wonder society is so ***ked up.
It’s what’s the worst and shows up more in the last few generations, these young adults have shown a obvious entitlement psychology that is destroying everything they touch.
Don’t get me wrong, I’m not singling everyone of those young adults in with the entitlement persona, But as we have seen throughout the course of history, it takes only a few to have a positive or enhance a negitive way of thinking, and it seems that the Negitive entitlement is the easiest way since it requires less Brain Power and skills to work for what you deserve then to take without any thought.
With the attitude of steal from all these evil corporations, Then it’s ok for you to pay back all you Public School Education Costs or any Goverment help you may have gotten while you had been in a Private School.
nikonfoxx, you didn’t learn a thing.
I don’t really understand how this can be possible. If you can trick the App store like this with In-app purchases, why aren’t it p
I don’t understand this att all. If its possible to trick the App store like this with in-app purchases. Why sent it not possible to trick it without? Since your credit card is charged for a purchase and a false one would not go through. Why is this in app ripp-off possible?
This is a good thing lol “only 99.99$” is a LOT for in-game values that can be hacked in with a cheat engine or in app purchase crack. many they should be more reasonable and sell for 7.99 unlock all eta.