“Alexei Borodin, the same hacker who came up with the recent in-app purchase exploit that allowed free transactions for iOS users has struck again with a new method that allows users of Mac apps to do the same,” Matthew Panzarino reports for TNW. “The ‘In-Appstore for OS X’ service uses a method that’s very similar to that used on iOS devices to spoof transactions made to Apple’s servers.”
“After installing two local certificates, a user points their computer’s DNS settings at Borodin’s server and it pretends to be the Mac App Store, issuing verification of the purchase,” Panzarino reports. “It’s not incredibly simple, but it’s not all that hard either. This time there is a companion app called ‘Grim Receiper’ that must be run on the local machine to facilitate the process as well.”
Panzarino writes, “In-app purchasing is much more common in iOS apps than it is in Mac App Store apps, but any of this kind of theft is bad for the ecosystem and bad for developers. Here’s hoping that Apple enacts a swift fix on OS X as well as iOS.”
Read more in the full article here.