[Macworld]

Post your comments for Hacker exploits iOS flaw for free in-app purchases here

[joellimberg]

"Borodin said that he was "shocked" that passwords were passed in plain text and not encrypted."

This data is normally passed through a secure connection. How is it Apple's fault if the user decides to install a middleman and pass data through them?

[hayesk]

Borodin's rationalization for stealing from the developer is pure BS. If you don't like that the developer expects you to pay for extra parts of the game, then don't play it.

Kudos for him for showing Apple a flaw, but that doesn't justify his actions.

[johndrake]

They will hire me, this guys had his head up somewhere, and it's not a cloud!

I'm not at all surprised by the greed this all points out, but hopefully those eager to exploit the hack end up on the short end of the stick, by getting hacked in return, and that their accounts are are cleaned out and credit shot to he!! !!

[jdb8167]

Thanks for the thorough explanation of the hack and work arounds. This is the best analysis I've seen so far. Including the problems with iOS vs server validation was the information that I've been searching for but was missing from other reports.

[lgladdy]

I'm pretty sure this bypasses the "secure, web-based receipt validation" - it's why you have to install the itunes.com/apple.com certificates onto the phone. Apps can phone back, but they don't get to talk to apple, they get the fake server which simulates a "yes, this is all good" response...

[lgladdy]

And this bit, "According to Tabini, though, “Apple presumes it’s talking to its own server with a valid security certificate.” But that was clearly a mistake—"This is entirely Apple’s fault,” Tabini added." is kinda annoying too.

They're just using standard SSL encryption. You've always been able to install your own certificates to something, that's how SSL works. Apple trusting the device certificate chain is hardly their fault. It's potentially something they've overlooked, but in order to make this stuff compliant with things like revocation, they don't have any other choice.

The hacker has clearly figured out how to generate the responses properly for an in-app purchase, just like jailbreakers figured out how to generate SHSH blobs in the early days of jailbreaking, until Apple started signing them.

[leftnotrackswzdv]

“I’m a happy user of iPhone 4S … I think they will hire me.”

If not for his hacking skill, then certainly for his balls.

[erikftaylor]

Hhmm... I tried this out of early morning, droopy-eyed curiosity. I "purchased" a few low cost IAPs and removed the DNS and certs from my iPad. I also changed my iTunes credentials. I feel super guilty for even trying it out

[sezme]

Apple should maybe hire him to clean the toilets.

[lightnquick]

 hayesk, on 13 July 2012 - 12:03 PM, said:

Borodin's rationalization for stealing from the developer is pure BS. If you don't like that the developer expects you to pay for extra parts of the game, then don't play it.

Kudos for him for showing Apple a flaw, but that doesn't justify his actions.

I agree - it's BS. BUT - at the same time I expect developers to make it clear up-front that a game requires x amount of in-app purchases to play x amount of levels, etc. Many fail to be open about this, and, honestly, my empathy for them is, uhmm, limited.

[Adam24]

The App Store seems to be down for logins and app purchases. At least it is for me.

[JustinDd7kn]

"...he didn't seem particularly concerned about what Apple does next"
"Asked if he was afraid about what Apple's response to him directly might be..."

Three shots center mass, set of two white Apple stickers left on body as a calling card. Watch.

[StratigosSec]

We have also noticed the same thing and are investigating. This is not just a threat to the Apple and iOS App Store developers' business model, but to the security of iOS devices as well. http://stratigossecu...purchases-free/