Apple attempts to take down in-app purchase hack

Jordan Kahn

On Friday, we broke the news on some worrying tips we received about an “in-app proxy” hack that allowed even novice users to illegally install paid in-app purchase content for free. In updates to our original story, we noted the hack’s developer, Alexey V. Borodin, said in an interview that Apple’s method of validating receipts for developers would not protect apps from the hack. Apple followed up with a statement that claimed it is investigating the issue. Today, we get an update from The Next Web that further claims Apple began taking action over the weekend:

Over the weekend, Apple began blocking the IP address of the server used by Russian hacker Alexey V. Borodin to authenticate purchases.

It followed this up with a takedown request on the original server, taking down third-party authentication with it, also issuing a copyright claim on the overview video Borodin used to document the circumvention method. PayPal also got involved, placing a block on the original donation account for violating its terms of service

Unfortunately, the service is reportedly still operational with Borodin apparently moving the server to a location outside of Russia. He told The Next Web that the new service has been “updated and cuts out Apple’s servers, ‘improving’ the protocol to include its own authorisation and transaction processes. The new method ‘can and will not reach the App Store anymore, so the proxy (or caching) feature has been disabled’”

While Borodin also claimed he has changed the process to force users to sign out of their iTunes account (to ensure users he is not stealing personal/credit card data), there are more than a few reasons to still be concerned. Developer Alastair Houghton told us that he thinks Borodin’s method could be used “intercept traffic intended for any other secure website”:

Read more

Is the AppleTV 2 the future of low-CPU use servers? Desktops?

Seth Weintraub

Why run a family pictures website, DNS or any other low CPU-use server on power-hungry Intel-based hardware when an AppleTV2 does the trick?  The folks at MacMinivault.com have set up a webpage on a AppleTV 2 (go ahead, try to take it down) jailbroken with httpd as an example of what can be served off of the little 6 watt, A4-powered dynamo.  Put 10 of these together and you’ll be using the same power as a single 60 Watt light bulb.

The Apple TV is running iOS 4.2.2 (obviously jailbroken) with lighttpd for a web server. You can see the webpage we set up by visiting atv.macminivault.com. We’ll keep an eye on the CPU load and watch the analytics to record how much traffic the Apple TV receives.

They say this won’t be a cost effective solution for their customers (8 GB of storage won’t cut it) but is a ‘fun experiment.’

What’s interesting is that Apple likely has an dual core A5-platform AppleTV coming out shortly which may push a little more into the Intel server space.  Perhaps more interesting is that the A5 chips could also make nifty little ChromeOS-busting terminals or even cheaper laptops.

If you want to create your own little AppleTV 2 server, they recommend the following: Read more