In-App Hacker Now Attacks OS X

Circumventing in-app purchases in Mac App store

Last week, Russian hacker Alexei Borodin presented a hack. This hack was an in-app purchasing exploit that would enable users to obtain in-app purchases without paying for them.

Now that Apple is patching the system to ensure that this stops, Borodin has made his next move. However, this time Borodin is back with an in-app purchasing hack that works in the Mac App Store.

The method here is similar as the one Borodin used in iOS. According to this method, the user will install some fake security certificates and then pointing the Mac’s Domain Name System (DNS) servers at a false server run by Borodin. Then the remote server would pretend to be the actual Mac Store and verify the purchase, bypassing the real system for in-app purchases set up by Apple and use by developers of Mac apps.

Borodin has claims that this system has allowed approximately 8.4 million free purchases so far.

This is another blow to Apple, because on Friday, 20 July 2012, Apple announced that iOS developers could utilize a temporary fix for their iOS 5 apps to prevent the iOS hack from working and stealing their in-app purchases, with a more permanent fix set for iOS 6, coming soon.

We can only assume that Apple will create a similar fix for the Mac OS X exploit, possibly even fold it into the upcoming OS X release of Mountain Lion (10.8).

iOS apps do rely on in-app purchases more than OS X apps do. However, stealing them is theft, even on a smaller scale. It can only hurt Apple to let such an exploit exist any longer than is strictly necessary to create a solid fix.

Nobody knows why Borodin is doing this. Perhaps he enjoys the technical challenge. Or he enjoys playing games with Apple. O perhaps he is protesting the system of in-app purchasing itself.

We advise our readers to stay away such an exploit. Not only use of such exploit will deprive Apple of revenue, but developers as well, who are poor.

Source: Cult Of Mac

Image Source

Leave a Reply

Your email address will not be published.