Another good point about this iOS hack: do people realise the Russian guy could steal their bank accounts?— Alastair Houghton (@al45tair) July 16, 2012
On Friday, we broke the news on some worrying tips we received about an “in-app proxy” hack that allowed even novice users to illegally install paid in-app purchase content for free. In updates to our original story, we noted the hack’s developer, Alexey V. Borodin, said in an interview that Apple’s method of validating receipts for developers would not protect apps from the hack. Apple followed up with a statement that claimed it is investigating the issue. Today, we get an update from The Next Web that further claims Apple began taking action over the weekend:
Over the weekend, Apple began blocking the IP address of the server used by Russian hacker Alexey V. Borodin to authenticate purchases.
It followed this up with a takedown request on the original server, taking down third-party authentication with it, also issuing a copyright claim on the overview video Borodin used to document the circumvention method. PayPal also got involved, placing a block on the original donation account for violating its terms of service
Unfortunately, the service is reportedly still operational with Borodin apparently moving the server to a location outside of Russia. He told The Next Web that the new service has been “updated and cuts out Apple’s servers, ‘improving’ the protocol to include its own authorisation and transaction processes. The new method ‘can and will not reach the App Store anymore, so the proxy (or caching) feature has been disabled'”
Couldn’t this iOS in-app purchasing hack be avoided by checking the certificate fingerprint against Apple’s? (Answer: yes, it could.)— Alastair Houghton (@al45tair) July 16, 2012
While Borodin also claimed he has changed the process to force users to sign out of their iTunes account (to ensure users he is not stealing personal/credit card data), there are more than a few reasons to still be concerned. Developer Alastair Houghton told us that he thinks Borodin’s method could be used “intercept traffic intended for any other secure website”:
the method that Mr. Borodin is using to circumvent Apple’s receipt verification system would also, if he so wished, allow him to intercept traffic intended for any other secure website, including notably bank websites. Moreover, there would be no indication on a device configured to trust his certificate and use his DNS server that anything was wrong. If you want to end up with an empty bank account, following instructions of this kind that result in your DNS and certificate trust being under the control of an untrustworthy third party is a *really* good way to go about it.
Although Apple’s process of validating receipts would not necessarily protect developers, Houghton offered up a solution for devs while Apple works out a more permanent fix:
developers can use Apple’s verification server without being vulnerable to Borodin’s method simply by checking that the certificates being used by the Apple server are the ones that they expect.This is easy enough to do by examining the certificate fingerprints, and is probably being done in some of the applications that he says don’t work with his hack.
Borodin told TNW that Apple has not contacted him, but it is clear the company is aware of the issue and working on a solution. We, of course, highly recommend avoiding the service and anything connected to Borodin.
FTC: We use income earning auto affiliate links. More.