Another good point about this iOS hack: do people realise the Russian guy could steal their bank accounts?— Alastair Houghton (@al45tair) July 16, 2012
On Friday, we broke the news on some worrying tips we received about an “in-app proxy” hack that allowed even novice users to illegally install paid in-app purchase content for free. In updates to our original story, we noted the hack’s developer, Alexey V. Borodin, said in an interview that Apple’s method of validating receipts for developers would not protect apps from the hack. Apple followed up with a statement that claimed it is investigating the issue. Today, we get an update from The Next Web that further claims Apple began taking action over the weekend:
Over the weekend, Apple began blocking the IP address of the server used by Russian hacker Alexey V. Borodin to authenticate purchases.
It followed this up with a takedown request on the original server, taking down third-party authentication with it, also issuing a copyright claim on the overview video Borodin used to document the circumvention method. PayPal also got involved, placing a block on the original donation account for violating its terms of service
Unfortunately, the service is reportedly still operational with Borodin apparently moving the server to a location outside of Russia. He told The Next Web that the new service has been “updated and cuts out Apple’s servers, ‘improving’ the protocol to include its own authorisation and transaction processes. The new method ‘can and will not reach the App Store anymore, so the proxy (or caching) feature has been disabled'”
Couldn’t this iOS in-app purchasing hack be avoided by checking the certificate fingerprint against Apple’s? (Answer: yes, it could.)— Alastair Houghton (@al45tair) July 16, 2012
While Borodin also claimed he has changed the process to force users to sign out of their iTunes account (to ensure users he is not stealing personal/credit card data), there are more than a few reasons to still be concerned. Developer Alastair Houghton told us that he thinks Borodin’s method could be used “intercept traffic intended for any other secure website”: