Apple Mac in-app purchases hacked; everything free like on iOS - Polidicks

[IMG]http://cdn-static.zdnet.com/i/story/70/00/001323/applemacinapphack.png[/IMG] [QUOTE]Last week Russian developer Alexey Borodin hacked Apple's In-App Purchase program for all devices running iOS 3.0 or later, allowing iPhone, iPad, and iPod touch users to circumvent the payment process and essentially steal in-app content. Apple today announced a temporary fix and that it would patch the holes with the release of iOS 6. While Cupertino was distracted, Borodin came in and pulled off the same scheme on the Mac. That's right. Borodin's new hack allows Mac users to circumvent the payment process and essentially steal in-app content, just like his previous one did for iOS. The new "In-Appstore for OS X" service uses a similar method to fake transactions made to Apple's servers, according to "Getting started to receive your in-app for free on OS X." To use this "trick" yourself, you need to perform the following steps (for the record, I do not recommend doing this, especially given that you have to hand over your login credentials, and I do not condone it either, as it is stealing): Install CA certificate and in-appstore.com certificate Change DNS record in Wi-Fi settings Running Grim Receiper application (to save your original AppStore receipts) Until Apple stepped in, iOS developers had no way of protecting their apps, and this looks to be the same situation for Mac app developers. Using store receipts doesn't work as Borodin's service simply needed a single donated receipt, which it could then use to authenticate anyone's purchase requests. His circumvention technique relies on installing certificates (for a fake in-app purchase server and a custom DNS server), changing DNS settings to allow the authentication of "purchases," and finally emulating the receipt verification server. The only difference this time around (apart from the different store), is that Borodin has developed an app called "Grim Receiper." It must be run on the local machine, and as far as I can tell its main purpose is to collect receipts for reuse. "That's the tool to keep your original receipts in safe place (locally, of course) during you are using in-appstore.com," says Borodin. Affected iOS apps treated Borodin's server as an official communication because of how Apple authenticates a purchase. The same thing goes for Mac apps. The problem is that Apple does not tie a given purchase directly to a customer or device, meaning a single purchased receipt can be used again and again. It's not yet clear if Cupertino is transmitting its customers' Apple IDs and passwords in clear text just like it was for iOS (Apple assumed it would only ever be communicating with its own server). If so, whoever operates in-appstore.com could easily be gathering everyone's iTunes login credentials (as well as unique device-identifying data) in the same type of man-in-the-middle attack that was used for iOS. When Apple first tried (and failed) to stop Borodin, the company managed to disable his PayPal account. Borodin started taking donations via BitCoin, and for this Mac app hack he's doing the same: "Help the project by bitcoin 15GCBL7gHbf2p8bapozSrZhNaXdrKUWRFF. Thanks." The good news this time around, as The Next Web notes, is that in-app purchasing is much more common in iOS apps than it is in Mac apps. Still, hopefully Apple fixes this issue more quickly on the Mac than on iOS. Given that the upcoming OS X 10.8 Mountain Lion is set to be released later this month, Apple could potentially offer a fix for this issue very quickly. Just like on iOS though, developers will have to be given some guidance so they can change the code on their end.[/QUOTE] Maybe apple should focus more on security and less on patent trolling

So basically he made an appstore authentication server emulator? That is interesting to say the least.

In-App Cracker has been available on Cydia for a long time already.

Nice...

And then those that get caught lose everything :c

[QUOTE=rapperkid04;36875881]And then those that get caught lose everything :c[/QUOTE] You deserve to lose everything if you get caught using this. Pros won't get caught.

[QUOTE=Madman_Andre;36876113]You deserve to lose everything if you get caught using this. Pros won't get caught.[/QUOTE] I was kinda kidding. Can you even get "caught"? I feel like it's the kind of thing they don't really care about.

Source?

[QUOTE=MattJeanes;36875405]In-App Cracker has been available on Cydia for a long time already.[/QUOTE] Actually most of the time you are downloading from repositories or filesharing websites and not from iTunes.

This will come in handy..

This is cool, but my ipod is jail broken so...

[QUOTE=MattJeanes;36875405]In-App Cracker has been available on Cydia for a long time already.[/QUOTE] Yes, that works for things already installed inside the apps. Not for content you have to download, so it doesn't work for games like Tap Tap Revenge.

It was only a matter of time before the Mac App Store would be exploited too.

[QUOTE=jechtman;36878769]Yes, that works for things already installed inside the apps. Not for content you have to download, so it doesn't work for games like Tap Tap Revenge.[/QUOTE] the action movie app has DLC and the app works on it.

Well, they're fixing this in ios6 so I doubt it'll be long before it's fixed on OSX too.

Somebody is working on this for Android

[QUOTE=MattJeanes;36875405]In-App Cracker has been available on Cydia for a long time already.[/QUOTE] From what I understand (and please correct me if I'm wrong), this works on non-jailbroken devices by changing the device's DNS settings to point to the fake authentication server.

[QUOTE=JimmyA;36880954]the action movie app has DLC and the app works on it.[/QUOTE] Hmm...last time I bought a pack, it had to download things. Maybe it's changed from download to unlock?

[QUOTE=Sir Whoopsalot;36881930]Well, they're fixing this in ios6 so I doubt it'll be long before it's fixed on OSX too.[/QUOTE] it'll just cost 60$ for the update