PDA

View Full Version : Hacker Releases Tools for Bypassing Apple's In App Purchase Mechanism [Updated]




MacRumors
Jul 13, 2012, 09:10 AM
http://images.macrumors.com/im/macrumorsthreadlogo.gif (http://www.macrumors.com/2012/07/13/hacker-releases-tools-for-bypassing-apples-in-app-purchase-mechanism/)


As noted by 9to5Mac (http://9to5mac.com/2012/07/13/apples-in-app-purchasing-process-circumvented-by-russian-hacker/), a Russian hacker has developed a relatively simple method to allow users to bypass Apple's In App Purchase mechanism on many iOS apps, allowing users to obtain the content for free.

http://images.macrumors.com/article-new/2012/07/in_app_purchase_hack_confirm.jpg


Alternate In App Purchase confirmation button seen on hacked devices
The method, which does not require jailbreaking, involves installing a pair of certificates on the user's device and then using a custom DNS entry. Users can then perform in-app purchases as usual and automatically be redirected through the hacked system.

iSuo4xEucqE
Aside from the obvious impact that the hack involves theft of content from developers, the method also poses risks to those using the hack, as some of their own information is transmitted to the hacker's servers during the purchasing process. For both of those reasons, users are strongly advised not to pursue the method.

The hacker has already been evicted from his original host and had reportedly moved to a new one, but the site is currently down. It is unclear whether it is down simply due to high traffic or if other steps are being taken to hinder his activities.

Developers can prevent the hack from working with their apps by implementing validation of In App Purchase receipts, something many developers have not included in their apps.

Update: The Next Web takes a closer look (http://thenextweb.com/apple/2012/07/13/how-a-flaw-in-apples-in-app-purchase-process-enabled-more-than-30000-illegal-virtual-transactions/) at the method developed by Alexey Borodin, which actually can not be prevented simply by employing receipt validation.All Borodin's service needs is a single donated receipt, which it can then use to authenticate anyone's purchase requests. Many of those receipts have been donated by Borodin himself, who has spent several hundred dollars on in-app purchases testing and generating receipts. [...]

Because the bypass emulates the receipt verification server on the App Store, the app treats it as an official communication, period.Addressing the issue will ultimately require changes by Apple, which could enhance the API used for In App Purchases to provide for uniquely signed receipts that could not be duplicated on a mass basis as with Borodin's service.

The Next Web also interviewed Borodin, who noted that he has turned over operation of the site to a third party in order to avoid trouble and will be deleting any information he obtained from running the operation. According to Borodin, over 30,000 in-app transactions were made through his service, and he netted just $6.78 in PayPal donations to help with his costs.

Update 2: Macworld also chatted with Borodin (http://www.macworld.com/article/1167677/hacker_exploits_ios_flaw_for_free_in_app_purchases.html), who noted that he can indeed see users' App Store account names and passwords, as they are transmitted in clear text as part of the In App Purchase process."I can see the Apple ID and password," for accounts that try the hack, Borodin told Macworld. "But not the credit card information." Borodin said that he was "shocked" that passwords were passed in plain text and not encrypted.

According to [developer Marco] Tabini, though, "Apple presumes it's talking to its own server with a valid security certificate." But that was clearly a mistake--"This is entirely Apple's fault," Tabini added.Update 3: Apple has issued a brief statement to The Loop (http://www.loopinsight.com/2012/07/13/apple-responds-to-hacked-in-app-purchasing-system/) acknowledging that it is aware of and investigating the issue."The security of the App Store is incredibly important to us and the developer community, Natalie Harrison, told The Loop. "We take reports of fraudulent activity very seriously and we are investigating."

Article Link: Hacker Releases Tools for Bypassing Apple's In App Purchase Mechanism [Updated] (http://www.macrumors.com/2012/07/13/hacker-releases-tools-for-bypassing-apples-in-app-purchase-mechanism/)



johnparjr
Jul 13, 2012, 09:14 AM
Yeah free advertisement for hack sites

lannisters4life
Jul 13, 2012, 09:15 AM
Why would you report this on the front page? If it were in the forums it would have been closed instantly.

troop231
Jul 13, 2012, 09:16 AM
This button looks scary http://i.imgur.com/B0p3E.jpg

Serelus
Jul 13, 2012, 09:17 AM
Aside from the obvious impact that the hack involves theft of content from developers

Wait what? Let the piracy debate begin.

-Ryan-
Jul 13, 2012, 09:17 AM
Yeah free advertisement for hack sites
I agree. Macrumors ought to report this news as it is of relevance to both users of iOS and app developers, but effectively linking to the site on multiple ocassions is just wrong. The lack of sensitivity in this post is astounding.

applesith
Jul 13, 2012, 09:17 AM
His paypal address is @me.com. lol why use apple's email to steel from their developers?

lifeinhd
Jul 13, 2012, 09:17 AM
I saw this on 9to5, was kind of hoping you wouldn't post it.

rafaltrus
Jul 13, 2012, 09:18 AM
I WANT! :eek:

autrefois
Jul 13, 2012, 09:18 AM
Why would you report this on the front page? If it were in the forums it would have been closed instantly.

To inform people that there's a vulnerability in the App Store, it was in fact exploited, and warn people about the possible dangers of trying to use the hack. Millions of people use iOS and the App Store daily. Seems to me like more than valid reasons to report on it.

doobybiggs
Jul 13, 2012, 09:19 AM
yaaaay for free apps :)

... just curious, what makes people think that if he is stealing from apple, he is not also stealing info from your phone or mobile device?

ChazUK
Jul 13, 2012, 09:20 AM
This button looks scary Image (http://i.imgur.com/B0p3E.jpg)

It means "cancel".

EDIT:
Aside from the obvious impact that the hack involves theft of content from developers, the method also poses risks to those using the hack, as some of their own information is transmitted to the hacker's servers during the purchasing process.

LULz at anyone who has their data stolen using this type of hack. You deserve it! :D

jordanhuxley
Jul 13, 2012, 09:21 AM
Many games have ridiculous in app purchases. Its ludicrous to charge tens of pounds/dollars for a few extra coins.

HarryKeogh
Jul 13, 2012, 09:21 AM
Thank goodness! Paying a whole $0.99 for a quality app and supporting developers and not being a dirtbag crook was just killing me!

Fraaaa
Jul 13, 2012, 09:21 AM
Why would you report this on the front page? If it were in the forums it would have been closed instantly.

Because of this:

The method also poses risks to those using the hack, as some of their own information is transmitted to the hacker's servers during the purchasing process. For both of those reasons, users are strongly advised not to pursue the method

troop231
Jul 13, 2012, 09:21 AM
It means "cancel".

No, really? :rolleyes: I said it "looked" scary

ChazUK
Jul 13, 2012, 09:23 AM
No, really? :rolleyes: I said it "looked" scary

You are scared of typography? Strange.....

jordanhuxley
Jul 13, 2012, 09:23 AM
Thank goodness! Paying a whole $0.99 for a quality app and supporting developers and not being a dirtbag crook was just killing me!

What about those that are £34.99, £69.99 & £99.99? I've got no problem paying a few pounds but many developers exploit the freemium model.

hakuna-matata
Jul 13, 2012, 09:25 AM
Why would you report this on the front page? If it were in the forums it would have been closed instantly.

how do i give you a downvote?

----------

I agree. Macrumors ought to report this news as it is of relevance to both users of iOS and app developers, but effectively linking to the site on multiple ocassions is just wrong. The lack of sensitivity in this post is astounding.

right, like people don't know how to google search..yeah, it doesn't matter. other sites do so, why would MR post an incomplete article?

coder12
Jul 13, 2012, 09:25 AM
This button looks scary Image (http://i.imgur.com/B0p3E.jpg)

That's the teleport button!


Press it!

jazzkids
Jul 13, 2012, 09:26 AM
Many games have ridiculous in app purchases. Its ludicrous to charge tens of pounds/dollars for a few extra coins.

Nobody forces you to download. However, I do agree that when I pay for a game, I do not want in-app's as well. Was going to get the new Spiderman game for my son for $6.99 till I also see that you need in-app upgrades. I'd rather pay $9.99 or more and just be done with it.

george-brooks
Jul 13, 2012, 09:26 AM
I wish this wasn't so risky!

lifeinhd
Jul 13, 2012, 09:26 AM
um, MacRumors takes everything 9to5 posts...and re-posts it on their site. i actually think MR just keeps hitting refresh on their web browsers all day long, watching 9to5, and when a new story gets posted there, they immediately repost here. :rolleyes:

Heh, sadly that is pretty much the case these days :rolleyes:

foodog
Jul 13, 2012, 09:27 AM
Many games have ridiculous in app purchases. Its ludicrous to charge tens of pounds/dollars for a few extra coins.

So don't buy them.

UmbraDiaboli
Jul 13, 2012, 09:27 AM
Through his logins to Game Centre to each specific game he can be traced by Apple fairly quickly.

On Beta 3 (soon to be released), his bypass will be fixed.

WildCowboy
Jul 13, 2012, 09:28 AM
I purposely did not link directly to the site or to the specific installation instructions, although it's obviously easy to get there...when the site is working. And the service is currently down.

The post had already been picked up by Techmeme, and it's going to get wide coverage no matter what. Bringing visibility to the dangers is a good thing in my view.

Takeo
Jul 13, 2012, 09:28 AM
Hopefully Apple will find a way to patch this vulnerability quickly.

jordanhuxley
Jul 13, 2012, 09:28 AM
Nobody forces you to download. However, I do agree that when I pay for a game, I do not want in-app's as well. Was going to get the new Spiderman game for my son for $6.99 till I also see that you need in-app upgrades. I'd rather pay $9.99 or more and just be done with it.

I agree. I'll pay for a quality game. But I'm not paying for the app, then paying for more.

habubauza
Jul 13, 2012, 09:28 AM
Thanks MacRumors for posting this on your front page. This is a significant news story and warrants that people who use IOS devices are made aware. Surprising that a few people think that this story should be hidden somewhere.

ArtOfWarfare
Jul 13, 2012, 09:29 AM
As a developer, I have to say I'm glad MacRumors has reported this. It's just a final nail in the coffin for IAP, I say.

1 - It generates almost no money (in my experience, anyways.)
2 - It's painfully difficult to implement and test and verify.
And now,
3 - It's hackable.

I had actually been considering making a game guide available as an IAP, but now that I see it's hackable, I'm reconsidering. Maybe I'll make it an iBook instead and advertise it in my game, the same as I'd planned on advertising the IAP?

al0513
Jul 13, 2012, 09:30 AM
Actually you are stealing ~70 cents from the dev and ~30 cents from Apple on a 99 cent app.

As someone mentioned above, I wouldn't trust any "app" that steals from Apple. A few dollars isn't worth losing all of my information. I'm sure most of you have emails, banking apps, shoot - credit card info on your Apple account.

Not worth it at all. Plus stealing is baaaadd. :apple:

iZac
Jul 13, 2012, 09:31 AM
I wonder why people who want to do this don't just jailbreak and live 'off grid'?

As for posting it, I think by raising it, it makes people aware and if they are stupid enough to pass their account and CC details onto a hacker, then fine. On the plus side it also makes damn sure that Apple get off their asses and plug the hole.

notjustjay
Jul 13, 2012, 09:31 AM
So a Russian hacker who obviously has no problems with theft is offering to help me steal too, and all I have to do is send their site my own account data?

What could possibly go wrong?

hakuna-matata
Jul 13, 2012, 09:32 AM
Nobody forces you to download. However, I do agree that when I pay for a game, I do not want in-app's as well. Was going to get the new Spiderman game for my son for $6.99 till I also see that you need in-app upgrades. I'd rather pay $9.99 or more and just be done with it.

10$ or more to play a game on fricking 3-4" screen in this economy..people are out of their mind!! never.

Gib
Jul 13, 2012, 09:32 AM
I WANT! :eek:

Hey, what happened to the Downvote buttons?

T. Durden
Jul 13, 2012, 09:32 AM
yaaaay for free apps :)

... just curious, what makes people think that if he is stealing from apple, he is not also stealing info from your phone or mobile device?

The App Store is a virtual storefront. Apple takes a 30% cut from all apps or in-store app purchases sold.

This is no different from someone walking into a Best Buy and stealing an expansion pack for The Sims and justifying it because they already bought the original Sims software. You're stealing from Best Buy and the developer.

Unfortunately, because you can easily steal from the comfort of your own home and there isn't anyone policing it, people think it's okay :rolleyes:

Mad-B-One
Jul 13, 2012, 09:33 AM
No, really? :rolleyes: I said it "looked" scary

You must be American. Everything non-English is scary, I know. :rolleyes: Don't worry. You can put the 38 Special down again. It didn't come with a turban like all these scary Al Kaida Hidus. :D

Just kidding. But really, how can foreign language look scary? Scared of the unknown?

ChazUK
Jul 13, 2012, 09:33 AM
10$ or more to play a game on fricking 3-4" screen in this economy..

On a phone worth hundreds of dollars...

Macman45
Jul 13, 2012, 09:33 AM
This button looks scary Image (http://i.imgur.com/B0p3E.jpg)

Yep, and you'd have to be a little crazy to install this at all, but I'm afraid that if there is a way around do it the right way, than a minority will use it.

If people find personal information etc. has been compromised, then don't come whining about it.

johncrab
Jul 13, 2012, 09:33 AM
This looks like an irresistible carrot, designed to get greedy, unscrupulous people to bite at the stolen content without thinking about what this could do in terms of allowing account numbers and passwords to be grabbed in the process. Anyone who installs this and then has his/her bank account drained need not look to me for sympathy. Oh yeah, and I'm tired of paying for all of the shoplifters in this world and that's just what this is.

Zerotolerance
Jul 13, 2012, 09:34 AM
Apple should hurry up and release an update permanently bricking any iDevice that has this installed.

orthorim
Jul 13, 2012, 09:35 AM
His paypal address is @me.com. lol why use apple's email to steel from their developers?

Closure of me.com account in 3, 2, 1.... disabling of PayPal account in 3, 2, 1... as clever as the guy was to get around the in app purchasing security, he didn't think this through very well :D

Kind of baffling Apple would allow this kind of hack... don't apps use HTTPS to talk to Apple servers? Even if you DNS spoof the address - and this is obviously always possible, if not on the device then in your local router - the software should still find the certificate incorrect. That's the whole reason for the certificate system.

I have been wondering if DNS spoofing would possibly get around HTTPS certificate checks - as in what if I spoof both the receiving server, and the certificate authority server, and bless my own faulty certificates as correct from my own fake cert server.... - but I have to believe they thought of that. Haven't they?

Anyway with Apple's own ironclad security this should be an easy fix.

NewAnger
Jul 13, 2012, 09:36 AM
This is similar to the hack that was in Cydia last year that allowed people to use the Zynga Farmville app to buy Farmcash, as much as you wanted and not get charged for it. People had millions in Farmcash and Zynga caught on suspended those people's accounts.

Kaibelf
Jul 13, 2012, 09:36 AM
Many games have ridiculous in app purchases. Its ludicrous to charge tens of pounds/dollars for a few extra coins.

Frankly, that's not your decision to make is it? It's the dev's, and if you don't like something's price, you don't just act like a jerk and take things.

lifeinhd
Jul 13, 2012, 09:36 AM
Hey, what happened to the Downvote buttons?

In today's world, everyone's a winner (http://www.youtube.com/watch?v=h6wOt2iXdc4).

Kaibelf
Jul 13, 2012, 09:37 AM
10$ or more to play a game on fricking 3-4" screen in this economy..people are out of their mind!! never.

Guess you never heard of a GameBoy?

hakuna-matata
Jul 13, 2012, 09:37 AM
Hey, what happened to the Downvote buttons?

you are getting it.

zoonyx
Jul 13, 2012, 09:37 AM
Woah this is amazing!!!! I'm so buying shed loads of in app content now. Great news! :)

T. Durden
Jul 13, 2012, 09:37 AM
So don't buy them.

This.

If you don't like the model, don't buy it. You can view in-app purchases from the App Store before you buy the game.

Also, most games with this model are free. There is no risk imposed by downloading it. If you download it and see it's too tempting to buy extra coins or upgrade or whatever, delete the game. That's much easier than using this hacker method to steal, IMO.

GenesisST
Jul 13, 2012, 09:39 AM
What about those that are £34.99, £69.99 & £99.99? I've got no problem paying a few pounds but many developers exploit the freemium model.

I ignore those apps, pure and simple. I don't want to pay? I don't use it!

/holierthanthou

zorinlynx
Jul 13, 2012, 09:39 AM
Hey F**KTARDS: (people who develop hacks like this)

STOP MAKING US JAILBREAKERS LOOK BAD BY CREATING WAYS TO STEAL CONTENT.

Those of us who want to jailbreak to simply have full control of our hardware are made to look bad because of people like you.

Find more productive ways to use your time and talent, please.

Sincerely,
Jailbreaker who doesn't want Apple to try harder to stop us.

Knox
Jul 13, 2012, 09:39 AM
As a developer, I have to say I'm glad MacRumors has reported this. It's just a final nail in the coffin for IAP, I say.

1 - It generates almost no money (in my experience, anyways.)
2 - It's painfully difficult to implement and test and verify.
And now,
3 - It's hackable.

I had actually been considering making a game guide available as an IAP, but now that I see it's hackable, I'm reconsidering. Maybe I'll make it an iBook instead and advertise it in my game, the same as I'd planned on advertising the IAP?

I'm pretty sure this hack will not work if the app employs Apple's server-side receipt verification. If in your case the game guide was downloaded from a server only after an in-app purchase - rather than being included in the app and then being 'activated' - and the server verified the in-app purchase with Apple, they would be able to carry out the hacked "purchase" but you could simply not allow the download of the guide.

One of my clients has a popular (UK top 50 grossing) app that derives all its income from IAP and we have, in the past, had issues with the jailbreak iap hack, however that hack is defeated by the verification method.

ChazUK
Jul 13, 2012, 09:40 AM
Hey F**KTARDS: (people who develop hacks like this)

STOP MAKING US JAILBREAKERS LOOK BAD BY CREATING WAYS TO STEAL CONTENT.

Those of us who want to jailbreak to simply have full control of our hardware are made to look bad because of people like you.

Find more productive ways to use your time and talent, please.

Sincerely,
Jailbreaker who doesn't want Apple to try harder to stop us.

Calm down, it doesn't require jailbreak! :D

NewAnger
Jul 13, 2012, 09:40 AM
Guess you never heard of a GameBoy?
Gameboy games used to cost $20-50 depending on the game on this small screen. They were fun.

Buckeyestar
Jul 13, 2012, 09:40 AM
This is no different from someone walking into a Best Buy and stealing an expansion pack for The Sims and justifying it because they already bought the original Sims software. You're stealing from Best Buy and the developer.

Actually, in that example, the developer already got their money for that copy since it's on the shelf. Best Buy already paid for the game, so you'd only be stealing from them. :p

T. Durden
Jul 13, 2012, 09:41 AM
10$ or more to play a game on fricking 3-4" screen in this economy..people are out of their mind!! never.

As opposed to $40+ to play a game on a Gameboy?

The App Store has made games so accessible; it's a complete joke to complain about the prices - especially when the majority of the games are $0-1.99 :rolleyes:

doobybiggs
Jul 13, 2012, 09:42 AM
The App Store is a virtual storefront. Apple takes a 30% cut from all apps or in-store app purchases sold.

This is no different from someone walking into a Best Buy and stealing an expansion pack for The Sims and justifying it because they already bought the original Sims software. You're stealing from Best Buy and the developer.

Unfortunately, because you can easily steal from the comfort of your own home and there isn't anyone policing it, people think it's okay :rolleyes:

well i was joking about the free apps .... I was more worried about why people think that using this new app and stuff to steal stuff would not hurt them? If i was this hacker, why would I not install something in my app that sent me all your info ... CC #s, passwords, things like that?

zorinlynx
Jul 13, 2012, 09:42 AM
But really, how can foreign language look scary? Scared of the unknown?

Nah, just outdated thinking, from back when Russia was "the enemy.". Wanna bet the poster is an older person who lived during the cold war?

However, it IS outdated thinking; the cold war is over, Russia is our friend now.

natej2010
Jul 13, 2012, 09:43 AM
the real question is what company is going to pick him up to help with their security.

AdrianK
Jul 13, 2012, 09:43 AM
Hey F**KTARDS: (people who develop hacks like this)

STOP MAKING US JAILBREAKERS LOOK BAD BY CREATING WAYS TO STEAL CONTENT.

Those of us who want to jailbreak to simply have full control of our hardware are made to look bad because of people like you.

Find more productive ways to use your time and talent, please.

Sincerely,
Jailbreaker who doesn't want Apple to try harder to stop us.
Not sure how this is relevant, this exploit simply makes use of a proxy. No jailbreak required....

bocomo
Jul 13, 2012, 09:44 AM
Many games have ridiculous in app purchases. Its ludicrous to charge tens of pounds/dollars for a few extra coins.

so don't buy them

it doesn't justify theft

jordanhuxley
Jul 13, 2012, 09:44 AM
Frankly, that's not your decision to make is it? It's the dev's, and if you don't like something's price, you don't just act like a jerk and take things.

I didn't say I did "act like a jerk and take things". I was just voicing my opinion on the in-app purchase system. I don't take anything and neither do I was my money on ridiculously priced in app purchases.

zorinlynx
Jul 13, 2012, 09:45 AM
Calm down, it doesn't require jailbreak! :D

Okay, I must have read "does not" as "does".

Oops, my bad!

http://images1.wikia.nocookie.net/__cb20110718083419/mlp/images/archive/7/73/20110718131822!Derpy_id.png

jordanhuxley
Jul 13, 2012, 09:45 AM
so don't buy them

it doesn't justify theft

As I said. I NEITHER BUY THEM NOR STEAL THEM.

gnasher729
Jul 13, 2012, 09:46 AM
Actually you are stealing ~70 cents from the dev and ~30 cents from Apple on a 99 cent app.

As someone mentioned above, I wouldn't trust any "app" that steals from Apple. A few dollars isn't worth losing all of my information. I'm sure most of you have emails, banking apps, shoot - credit card info on your Apple account.

Not worth it at all. Plus stealing is baaaadd. :apple:

And consider the risks: The obvious risk that you are trusting a hacker, which is by definition a bad idea. Like someone offering to put stolen goods into your home for really cheap if you give them the keys. Not clever.

Second the legal risk. I would be quite sure that by using this hack to make in app purchases you are entering a legal and enforceable contract with the seller. Just because you avoid payment doesn't mean you don't owe the money. So if you "buy" 1000 real dollars worth of game gold coins without paying, don't be surprised if you get a bill eventually.


the real question is what company is going to pick him up to help with their security.

None. First, because cracking and securing are very different things. Second, because someone who has demonstrated they cannot be trusted cannot be trusted to work in security. Third, because companies have people looking for possible ways to break in; you just don't hear about them because when they find a hole, they don't exploit it, they close it, and they tell nobody.

vsighi
Jul 13, 2012, 09:46 AM
This is just one more grate product made by a soviet haker :cool:

GenesisST
Jul 13, 2012, 09:46 AM
Not sure how this is relevant, this exploit simply makes use of a proxy. No jailbreak required....

I think, he means (can't say for sure) that the layman might associate this with jailbreaking. Not that the layman knows what jailbreak is other than a TV show...

ugahairydawgs
Jul 13, 2012, 09:49 AM
To whoever on the MacRumors staff that posted this....you should be ashamed of yourself.

Mad-B-One
Jul 13, 2012, 09:50 AM
Apple should hurry up and release an update permanently bricking any iDevice that has this installed.

I have a better idea: Check their installed purchaises and charge them for what they didn't pay! They probably have a lot of games with rediculous in-app prices and looted that coin. I know there are certain apps where I don't understand who in the right mind would pay $99 for perks. But it is offered and you can be sure that these people used exactly that button on these apps. That would be hay day for Apple: $30 per caught user - not even talking about the devs seeing their bank accounts soar. Imangine a fictive phone call from the dev's bank: "Hello Mr. Miller. Yes, this is your bank. Your business account just has ten-fold the amount of the credit you have with us. We would like to talk to you about investment options."

...and then the cry of a parent who's teen got caught with the hand in the cookie jar: "Kaleb! How in the world did you spend $1200 on iTunes? We wanted to give you a new iMac for your birthday - I guess this will do it instead. You are grounded!" And then you see the first youtube clips parents shooting the iPhones of their kids in the backyard... :eek: :D

kurosov
Jul 13, 2012, 09:50 AM
What about those that are £34.99, £69.99 & £99.99? I've got no problem paying a few pounds but many developers exploit the freemium model.

It's called not buying it.

bocomo
Jul 13, 2012, 09:53 AM
To whoever on the MacRumors staff that posted this....you should be ashamed of yourself.

why?

like it was explained further up, it will get wide coverage anyway, so why not make everyone aware of the potential DANGER in using the exploit

Mad-B-One
Jul 13, 2012, 09:54 AM
Nah, just outdated thinking, from back when Russia was "the enemy.". Wanna bet the poster is an older person who lived during the cold war?

However, it IS outdated thinking; the cold war is over, Russia is our friend now.

See your point - to a point: They still veto on Syria, they still are practically a police state: Putin cannot run more than 2 terms (in a row) - so he finds a dummy for 1 term and then comes back. Putin's background: KGB in East Germany. He speaks several languages fluently, is very active etc. Typical G-man. Granted: Russia is a friend with benefits for Europe: Oil, gas, other natural resources come from there and products go there. I believe Germany is the biggest importer in Russia.

Let's say, Russia is a Frenemy! :)

Bezetos
Jul 13, 2012, 09:54 AM
This is a problem with any "DLC" that is pre-installed.

You're paying for content that is already on your phone.

There will always be a way to hack it. This hack is actually pretty straightforward.

That's why I'm against in-app purchases. Although thanks to them we have some nice free-to-plays.

shyam09
Jul 13, 2012, 09:55 AM
I wonder why so many people are thinking off this tool to get free apps? The title says IN App, as in purchases within the software.
For example the various pens and brushes in Paper are in app purchases.

NewAnger
Jul 13, 2012, 09:55 AM
Apple has never been 100% perfect on security. They have always left glaring doorways open that allowed potential for abuse.

None of the following works now by the way and it was patched up because of what the following person did.

This person discovered that using gift cards such as the prepaid $25-50 MC/Visa that you could buy at 7-11 and use most of the money and leave a few dollars on would work in creating new iTunes accounts. Remember, these cards only had about $2 left on them. He had about 10 of them and five iPhoned to use a different one daily so the same phone creating multiple accounts daily would not trigger Apples fraud detection. Each day he would use a different iPhone and a different prepaid card and create new accounts. Apples system would allow two per day before giving a warning to contact support.

Immediately after creating the account, he would buy two HD movies or in app purchases totaling a$37. Anymore than this would decline the charge. Because Apple uses s delayed billing and the charge was no more than $37, the purchase would get approved before Apples servers realized the bank declined the purchases with only $2 on the account. This also worked on in app purchases and he used to get thousands of "free" farmcash in Farmville doing this.

This person racked up over $4700 in charged and Apple never caught on until the person tried to do report an unauthorized charge on the wrong account. Apple did some checking and discovered all of these hundreds of accounts with negative balances and suspended his one real open account. Apple has never gone after the person to try and collect that $4700 and they never will.

Apple no longer accepts prepaid gift cards and in some cases, charges go through immediately now to verify the funds exist before allowing a download. Smaller charges are still delayed as they were before.

WestonHarvey1
Jul 13, 2012, 09:57 AM
Many games have ridiculous in app purchases. Its ludicrous to charge tens of pounds/dollars for a few extra coins.

You don't have to play those games or buy those in app purchases.

charlituna
Jul 13, 2012, 09:59 AM
As a developer, I have to say I'm glad MacRumors has reported this. It's just a final nail in the coffin for IAP, I say.

1 - It generates almost no money (in my experience, anyways.)
2 - It's painfully difficult to implement and test and verify.

not the experience of the developers I know.

Xultar
Jul 13, 2012, 09:59 AM
It's dumb to ask MacRumors not to report the story.

It isn't as if this is the only site reporting the story.

If people are going to steal they were going to do it whether MacRumors reported the story or not. MacRumors is not here to protect people from their own sins or to stop people from sinning.

You are on your own conscience folks.

mjtomlin
Jul 13, 2012, 10:01 AM
To inform people that there's a vulnerability in the App Store, it was in fact exploited, and warn people about the possible dangers of trying to use the hack. Millions of people use iOS and the App Store daily. Seems to me like more than valid reasons to report on it.

"Warn" people that taking steps towards stealing might result in unfavorable consequences... Really?

charlituna
Jul 13, 2012, 10:05 AM
.

Those of us who want to jailbreak to simply have full control of our hardware are made to look bad because of people like you.



'Those of us' isn't everyone unfortunately

And Apple isn't going to stop hampering jailbreaking if only because they don't want the retail staff having to deal with the aftermath including folks pissed off cause Apple stores turn them away or any kind of service because they tampered with their devices.

xStatiCa
Jul 13, 2012, 10:06 AM
I bet most of the users accounts will be hacked within the year that actually use this service. I don't know what data is sent to the russian site but I would be willing to bet it is private data that should not be sent elsewhere(potentially login details).

unlinked
Jul 13, 2012, 10:08 AM
Nah, just outdated thinking, from back when Russia was "the enemy.". Wanna bet the poster is an older person who lived during the cold war?

However, it IS outdated thinking; the cold war is over, Russia is our friend now.

I thought Facebook devalued the meaning of the word friend and now I see people claiming Russia is their friend. Kids today!

Mad-B-One
Jul 13, 2012, 10:09 AM
You don't have to play those games or buy those in app purchases.

And most of us don't. Doesn't change the fact. If you have kids, you will soon realize that you might not be the one who wants to have Farmville cash - or what ever that is called. (I don't have Farmville.) Just for software updates, teenage kids might have the iTunes password of their parents - and of course, it is the same account because you don't want to pay for content several times.

charlituna
Jul 13, 2012, 10:11 AM
It's dumb to ask MacRumors not to report the story.



I suspect that the ire is less about reporting the story and the risks, and more linking to the site for this service. Which facilitates using it

----------

Just for software updates, teenage kids might have the iTunes password of their parents - and of course, it is the same account because you don't want to pay for content several times.

if your child, regardless of how responsible you think he is, has the password to your account you deserve him buying out your bank account.

MH01
Jul 13, 2012, 10:12 AM
Thank goodness! Paying a whole $0.99 for a quality app and supporting developers and not being a dirtbag crook was just killing me!

Quality $0.99 apps.... we must use different appstores, I use the Apple one. There is alot of @*#@*& in the $0.99 bracket.

Hyperwezo
Jul 13, 2012, 10:13 AM
He has put his Apple ID email address at the end of the video, doesn't that mean that Apple are able to find out who this person is.

Rafagon
Jul 13, 2012, 10:14 AM
Many games have ridiculous in app purchases. Its ludicrous to charge tens of pounds/dollars for a few extra coins.

Entirely agree with you.

And if any developer deserves their in-app purchases to be stolen, it's ZYNGA, they are the BIGGEST OFFENDER! Even after you fully buy their game ZOMBIE SWIPEOUT, you can only play a few minutes, then you have to BUY COINS JUST SIMPLY TO KEEP ON PLAYING! Go Russian Hacker!!

pubwvj
Jul 13, 2012, 10:14 AM
Theft of property and services. Anyone using this is a thief and should be handled as such. Creating and distributing this tool is a crime as well as it makes them an accessory. The creator is the one who's going to really end up in the deep doo-doo since most users will just get a mistermeaner due to the low value but the creator gets the aggregated total so it's a major felony.

Hastings101
Jul 13, 2012, 10:15 AM
iOS should add a "try" option to the App Store like Windows Phone so that developers can allow users to easily download a "lite" version of their app to try it out. People would be more willing to buy an app after they've tried it and found out they like it instead of the current just reading the description and hoping for the best.

After someone experiences a couple of disappointments I'd imagine piracy begins to seem like a much better alternative. Making it easier to try apps before buying them could potentially cut down on piracy and make users happier.

Xultar
Jul 13, 2012, 10:18 AM
I suspect that the ire is less about reporting the story and the risks, and more linking to the site for this service. Which facilitates using it

----------



if your child, regardless of how responsible you think he is, has the password to your account you deserve him buying out your bank account.

If people can't tell that there are risks to this then they are idiots. MacRumors can't protect people from being idiots.

Nothing is free.

You get common sense from home training. If your parent's, family, friends, juvenile watch monitor whomever didn't teach you not to be an idiot then no one can do it for you.

It is more than obvious this stuff opens your device up to being hacked and whatever else.

Daalseth
Jul 13, 2012, 10:19 AM
Sorry to be paranoid but:
How many of these stories include the phrase "Russian Hacker"
Russia has a very active and well documented history of cyber warfare. Estonia and Georgia come to mind as victims when they were confronting Putin's Russia. Also the Putin government has their hands in every profitable enterprise in Russia.

Now consider that one of the largest AntiVirus/Anti-Malware companies in the world is Kaspersky, from Putin's Russia. Not only do they sell their own AntiVirus product but :

From Wikipedia:
The Kaspersky Anti-Virus engine also powers products or solutions by other security vendors, such as Check Point, Bluecoat, Juniper Networks, Sybari (acquired by Microsoft in 2005), Netintelligence, GFI Software, F-Secure, Clearswift, FrontBridge, G-Data, Netasq, Wedge Networks, and others.

Anyone else scared?

So no I won't use any software legitimate or not, from a Russian source, certainly not from "a Russian hacker".

zorinlynx
Jul 13, 2012, 10:20 AM
Entirely agree with you.

And if any developer deserves their in-app purchases to be stolen, it's ZYNGA, they are the BIGGEST OFFENDER! Even after you fully buy their game ZOMBIE SWIPEOUT, you can only play a few minutes, then you have to BUY COINS JUST SIMPLY TO KEEP ON PLAYING! Go Russian Hacker!!

That's when you hit the home button, hold down the game's icon, and delete it, and move on with your life.

Why would I want to keep playing a game from a developer whose business practices offend me? There's so many better developers and games out there.

theteeth
Jul 13, 2012, 10:20 AM
Disappointed that you ran this

Mad-B-One
Jul 13, 2012, 10:21 AM
if your child, regardless of how responsible you think he is, has the password to your account you deserve him buying out your bank account.

My child will turn 3 in a coulpe of days. He can distinguish certain letters and reads all numbers. He has my old iPad 1st Gen and an iPod touch. He can navigate these things pretty well. If you live under the illusion that kids won't find out what the password is (remember, there are almost always 2 parents and they just have to crack the weaker link), you have a different opinion of what these kids will be capable of when it comes to technology. I'd rather tell him the password when he is old enough and explain and monitor what he is doing rather than raising the virtual firewall and hope he doesn't outsmart me. I studied some computer science for a couple of years until I got bored and changed disciplines. I mostly know what I do (working in the IT field for years helped as well), but I don't fool myself into believing that my son will not have a better understanding one day, rather sooner than later. He has his train game Apps on the old iPad and iPod and knows how to find them, start them, switch them, turn off the screen, unlock, even in-game navigation, he caught on to it pretty quick and if he accidentally hits an in-game add, he knows how to get back. I work full-time. My jaw dropped when I saw that first time on a weekend. As I said - he is TWO years old. (Well, almost 3 but he does that since a while, unlocked the device with 1yo.)

tomtom2234
Jul 13, 2012, 10:22 AM
I WANT! :eek:

I'd feel safer just using the hand full of repos that do the same.

dejo
Jul 13, 2012, 10:23 AM
I suspect that the ire is less about reporting the story and the risks, and more linking to the site for this service.

Except the article doesn't link to the site.

Rafagon
Jul 13, 2012, 10:25 AM
The articles states that "Developers can prevent the hack from working with their apps by implementing validation of In App Purchase receipts, something many developers have not included in their apps."

So it is the fault of developers not doing things correctly in the first place. I do not feel sorry for them at all.

mono1980
Jul 13, 2012, 10:29 AM
What could possibly go wrong? :rolleyes:

Mad-B-One
Jul 13, 2012, 10:32 AM
Except the article doesn't link to the site.

Thought about posting this and then I thought: "Let's see when someone will realize." :D

Nungster
Jul 13, 2012, 10:32 AM
Many games have ridiculous in app purchases. Its ludicrous to charge tens of pounds/dollars for a few extra coins.

No one is making you buy the items, or play the game.

BassPlayer
Jul 13, 2012, 10:33 AM
Personally, I believe any one who wants to utilize this exploit, should. Load it up and get all the coins, extra levels and whatever you can get. Because when your bank account is zeroed out by the hacker(s), you can go cry to no one. Hopefully that'll be a hard lesson learned.

It's the same as falling victim to a trojan horse loaded in a torrent of the Beatles discography you downloaded. You get what you deserve.

Jewbeard
Jul 13, 2012, 10:35 AM
With so many ways to obtain free software - be it GNU, Open-Source, Shareware, demos, trials, promotions - it is amazing that people still find a justification for piracy. Not to mention educational and workplace discounts abound. As for media like TV, movies, and music - the media companies go out of their way to give us free content, G-d forbid there is some advertising so they can pay to host their servers or pay the content creators.

jclardy
Jul 13, 2012, 10:37 AM
So this guy who is encouraging people not to pay for software wants people to donate money to him?

I feel his plan was not well thought out.

KPOM
Jul 13, 2012, 10:38 AM
To inform people that there's a vulnerability in the App Store, it was in fact exploited, and warn people about the possible dangers of trying to use the hack. Millions of people use iOS and the App Store daily. Seems to me like more than valid reasons to report on it.

Report it, yes, but don't spread links.

WestonHarvey1
Jul 13, 2012, 10:38 AM
And most of us don't. Doesn't change the fact. If you have kids, you will soon realize that you might not be the one who wants to have Farmville cash - or what ever that is called. (I don't have Farmville.) Just for software updates, teenage kids might have the iTunes password of their parents - and of course, it is the same account because you don't want to pay for content several times.

I don't know. I have some confidence in my abilities to discipline my son. I didn't spend all my parent's money when I was a kid. I realize it's easier to blow money now but that doesn't make it an insurmountable task.

Shrink
Jul 13, 2012, 10:42 AM
Thank goodness! Paying a whole $0.99 for a quality app and supporting developers and not being a dirtbag crook was just killing me!

I agree completely. Not having the easy opportunity to steal stuff just keeps me awake at night. Now I can steal apps and money from the developers with ease.

Made my day...:rolleyes:

boyd1955
Jul 13, 2012, 10:44 AM
As 98% of apps are complete rubbish and no better than spam anyway, I'd say this was a good thing ... Though anyone who downloads the crap even for free is little more than a good advertisement for euthanasia really

Winni
Jul 13, 2012, 10:44 AM
Apple should hurry up and release an update permanently bricking any iDevice that has this installed.

Yessir! And send their owners to Guantanamo for life - with daily waterboarding!

Xenomorph
Jul 13, 2012, 10:45 AM
With all the money I can save on Smurf Berries, I can finally afford that dream home I've been wanting!!

visor
Jul 13, 2012, 10:48 AM
Developers can prevent the hack from working with their apps by implementing validation of In App Purchase receipts, something many developers have not included in their apps.


Lets face it. Developers not validating their in-app purchases against Apple are not worth paying. It's transaction 101.
Problem is - those who do will not be able to sell anything anymore; plus might get all kind off support questions on why in app purchase does not work... that sucks.

BornAgainMac
Jul 13, 2012, 10:49 AM
This button looks scary Image (http://i.imgur.com/B0p3E.jpg)

I thought it was a Star Trek app. Klingon for Hello.

Schizoid
Jul 13, 2012, 10:50 AM
I wonder which story will be left for us to stare at over the weekend!

Mad-B-One
Jul 13, 2012, 10:51 AM
I don't know. I have some confidence in my abilities to discipline my son. I didn't spend all my parent's money when I was a kid. I realize it's easier to blow money now but that doesn't make it an insurmountable task.

Same here. When I see how other parents are sometimes oblivious to technology and hence the control over what their kids are doing, I think that this is still an issue. My point was simply: We as adults knowing that you have to earn each dollar/pound/euro and you can only spend it once will not buy Farmville cash. Educated and aware parents will make sure that their kids know what the boundaries of their actions are and monitor what they do. Others really don't. Just look how well-spread sexting is: My son will realize early on: If it is not clean enough for my and my wife's eyes, it's better not on his electronic devices - and I won't just trust him - I will diligently check him. Some might see it as intrusion into privacy. It's technically my device, he just borrows it.

the8thark
Jul 13, 2012, 10:55 AM
Why would you report this on the front page? If it were in the forums it would have been closed instantly.

I am quoting this for truth.
Double standards much?

vsighi
Jul 13, 2012, 10:55 AM
Sorry to be paranoid but:
How many of these stories include the phrase "Russian Hacker"
Russia has a very active and well documented history of cyber warfare. Estonia and Georgia come to mind as victims when they were confronting Putin's Russia. Also the Putin government has their hands in every profitable enterprise in Russia.

Now consider that one of the largest AntiVirus/Anti-Malware companies in the world is Kaspersky, from Putin's Russia. Not only do they sell their own AntiVirus product but :

From Wikipedia:
The Kaspersky Anti-Virus engine also powers products or solutions by other security vendors, such as Check Point, Bluecoat, Juniper Networks, Sybari (acquired by Microsoft in 2005), Netintelligence, GFI Software, F-Secure, Clearswift, FrontBridge, G-Data, Netasq, Wedge Networks, and others.

Anyone else scared?

So no I won't use any software legitimate or not, from a Russian source, certainly not from "a Russian hacker".

I think all this company's that you mentioned above are doing business with MICROSOFT not Karpersky...Microsoft is the guaranty that all this company will get the service they want...Yeah I'm scared that Apple is creating a beautiful product and some dirt bag CRIMINAL is distorting everything APPLE stands for. :mad:

T. Durden
Jul 13, 2012, 11:03 AM
As a developer, I have to say I'm glad MacRumors has reported this. It's just a final nail in the coffin for IAP, I say.

1 - It generates almost no money (in my experience, anyways.)
2 - It's painfully difficult to implement and test and verify.
And now,
3 - It's hackable.

I had actually been considering making a game guide available as an IAP, but now that I see it's hackable, I'm reconsidering. Maybe I'll make it an iBook instead and advertise it in my game, the same as I'd planned on advertising the IAP?

That couldn't be further from the truth. The top grossing app in the App Store today is 100% due to IAP. It isn't the first time either.

NewAnger
Jul 13, 2012, 11:06 AM
How did you get to this conclusion? The users have to manipulate their devices to use this exploit. It doesn't make your or my device less secure.

Device security may be tops but speaking in terms of their own store security, it just plain sucks. I posted something in this thread on how someone I know was able to open hundreds of accounts and buy $4700 in HD downloads and in app purchases using prepaid debit cards and numerous iPhones and not pay a dime of that $4700.

When Apple did find out about these accounts, they never did a thing to try to collect that debt.

lifeinhd
Jul 13, 2012, 11:08 AM
That's when you hit the home button, hold down the game's icon, and delete it, and move on with your life.

*Mentally downvotes*

Fine for a free app, not so good for a paid app.

Eadfrith
Jul 13, 2012, 11:08 AM
...and I bet your bank account will be cleared out in a few weeks time too.

mabaker
Jul 13, 2012, 11:11 AM
Okay, I must have read "does not" as "does".

Oops, my bad!

Image (http://images1.wikia.nocookie.net/__cb20110718083419/mlp/images/archive/7/73/20110718131822!Derpy_id.png)

I wish Apple incorporated Ponies in their next Mac OS Xiteration. Just for kicks and differentiation.

ArtOfWarfare
Jul 13, 2012, 11:14 AM
I'm pretty sure this hack will not work if the app employs Apple's server-side receipt verification. If in your case the game guide was downloaded from a server only after an in-app purchase - rather than being included in the app and then being 'activated' - and the server verified the in-app purchase with Apple, they would be able to carry out the hacked "purchase" but you could simply not allow the download of the guide.

One of my clients has a popular (UK top 50 grossing) app that derives all its income from IAP and we have, in the past, had issues with the jailbreak iap hack, however that hack is defeated by the verification method.

Interesting point, but I don't have the resources (namely money... also expertise,) to set up a server from which IAP may be downloaded.

lkrupp
Jul 13, 2012, 11:14 AM
I WANT! :eek:

Yes, thieves wold want this I suppose. Are you a thief?

spartig
Jul 13, 2012, 11:22 AM
What about those that are £34.99, £69.99 & £99.99? I've got no problem paying a few pounds but many developers exploit the freemium model.

Exploit! Really? Developers aren't allowed to make a living? Is it wrong for developers to charge for their content? If it's not worth it to you then don't pay for it and live with out it!

atzeX
Jul 13, 2012, 11:34 AM
Many games have ridiculous in app purchases. Its ludicrous to charge tens of pounds/dollars for a few extra coins.

Then don’t use that games.
It is not up to you to decide if it is "ludicrous" and then just go and steal.

----------

It's just a final nail in the coffin for IAP, I say.
1 - It generates almost no money (in my experience, anyways.)
2 - It's painfully difficult to implement and test and verify.
And now,
3 - It's hackable.


This is totally wrong. You can ask Apple’s servers if the receipt you get is a real buy. We do it that way and have no fraud so far (In fact people try but will not get through)

Sackvillenb
Jul 13, 2012, 11:35 AM
Crap, well that's not good!

gnasher729
Jul 13, 2012, 11:36 AM
I guess it's official now that Apple is absolutely worst company among its peers when it comes to security.

www .theregister.com reported this week that some rogue Android app caused some hundred thousand Android users to involuntarily buy apps from some store in China. That's hundred thousand Android users who lost money. So come again.

-20 down vote for you, since the buttons are gone.


This is totally wrong. You can ask Apple’s servers if the receipt you get is a real buy. We do it that way and have no fraud so far (In fact people try but will not get through)

Just curious: Would you know if someone tried to get your in-app purchases for free? If yes, do you have any statistics?

Amazing Iceman
Jul 13, 2012, 11:39 AM
People don't realize that when using a proxy server, all their traffic gets intercepted and logged.
The hacker could have used this strategy to retrieve thousands of AppStore accounts, credit card information and who knows what else.

To those who tried this, you better call your bank and change all your passwords.

Tech198
Jul 13, 2012, 11:39 AM
hahah !! +1 i'm aware of the above .... :) fully aware.

Sweet .. :)

Neat hack.

People aren't waiting these days for IOS updates to be 'officially' been released anymore...... I wonder if Apple is aware of this. :apple:

madfelon
Jul 13, 2012, 11:41 AM
Boom I'm getting my free app's all day long! Who pays for apps? haha

Jugney
Jul 13, 2012, 11:41 AM
My little brother made the game in the video - Highway Rider. I should beat this hacker up for trying to steal from him!

AppleFan1984
Jul 13, 2012, 12:01 PM
To whoever on the MacRumors staff that posted this....you should be ashamed of yourself.
Don't shoot the messenger. It's not MacRumor's fault that there are holes in the garden walls.

ethana
Jul 13, 2012, 12:07 PM
As a developer, I have to say I'm glad MacRumors has reported this. It's just a final nail in the coffin for IAP, I say.

1 - It generates almost no money (in my experience, anyways.)
2 - It's painfully difficult to implement and test and verify.
And now,
3 - It's hackable.

I had actually been considering making a game guide available as an IAP, but now that I see it's hackable, I'm reconsidering. Maybe I'll make it an iBook instead and advertise it in my game, the same as I'd planned on advertising the IAP?

Your statements are flat-out wrong.

1. I make most of my revenue from IAPs.

2. No, you just need to get better at development.

3. It will be fixed shortly.

And for everyone else, please don't steal with this hack. It will hurt many 1 and 2-man software shops like mine. It's what I do for a living. You wouldn't want someone coming to your workplace and stealing money out of your pocket, would you?

if you feel like an IAP is priced too high, don't buy it and find an app that competes for cheaper. Simple as that.

AppleFan1984
Jul 13, 2012, 12:12 PM
Device security may be tops but speaking in terms of their own store security, it just plain sucks. I posted something in this thread on how someone I know was able to open hundreds of accounts and buy $4700 in HD downloads and in app purchases using prepaid debit cards and numerous iPhones and not pay a dime of that $4700.
Did you notify the authorities of this grand theft?

----------

...and I bet your bank account will be cleared out in a few weeks time too.
If this hack can obtain your banking info from your phone Apple has a more serious problem here than we thought.

ethana
Jul 13, 2012, 12:13 PM
Devs, just use the free MKStoreKit open source code to manage all of your IAPs. It's super easy and will read receipts for you. You will not be affected by this hack.

MadGoat
Jul 13, 2012, 12:21 PM
If you're using this to get "full" games from trial apps, shame on you. If you're using this to get coins, donuts and smurfberries, or any other virtual currency, I say go nuts.

If you have a paid app, like I do and it requires IAP to proceed at any reasonable rate of time, again, go nuts!

TouchMint.com
Jul 13, 2012, 12:28 PM
Good thing I dont have any IAP on my apps! (not that anyone would wanna steal anything from mine lol)


I feel bad for the indie devs that have all these IAP tho. Apple has been pushing devs to go the free/IAP route.


I do think its funny what its going to do to the economies of all those with friends games lol.

----------

Your statements are flat-out wrong.

1. I make most of my revenue from IAPs.

2. No, you just need to get better at development.

3. It will be fixed shortly.

And for everyone else, please don't steal with this hack. It will hurt many 1 and 2-man software shops like mine. It's what I do for a living. You wouldn't want someone coming to your workplace and stealing money out of your pocket, would you?

if you feel like an IAP is priced too high, don't buy it and find an app that competes for cheaper. Simple as that.

It will be really interesting to see what it does to revenue rankings. It might be a loss right now but if they are registering as real buys in the ranking systems it will be some good advertising for the apps that shoot up to the top of the revenue charts.

bushido
Jul 13, 2012, 12:29 PM
Just kidding. But really, how can foreign language look scary? Scared of the unknown?

russian always looks like "alien" to me, reminds me of the Transformers writing ^^

it does look cool however

IPA suck, ill never spent money on more "coins" or some crap just to finish the game faster

alent1234
Jul 13, 2012, 12:29 PM
Interesting point, but I don't have the resources (namely money... also expertise,) to set up a server from which IAP may be downloaded.

amazon cloud?

BeyondtheTech
Jul 13, 2012, 12:34 PM
I posted this on Gizmodo, but it's worth repeating.

Some fair warning to those thinking about using the recently-posted hacked iAP method:

You have to enter your iTunes credentials just like a real in-App purchase. Considering you're going through a stranger's proxy, you may be giving up that information into their repository. Whether they use it for their own malicious purposes, or if they turn around and expose it, the public, hackers and Apple alike can see who used it. Your account could be blacklisted by Apple, and even worse, if you're a developer, you could end up getting kicked out of the App Store yourself.
The in-App purchase itself is faked, so trying to restore a purchase on another linked device or after a reinstall of the app is not going to work. If Apple or the dev comes up with an update to the software or system, they may be able to detect faked purchases.
Developers do keep track of things running on your devices by means of analytics, so if one day you have 5 Smurfberries and the next day you have 5,000,000 of them, but there's no sales to prove it for that day, well, you could be basically caught. What they can do to you at that point is up to them and/or Apple.
When you change your DNS, you're routing ALL your network requests to them like a proxy. There's no telling what else you're transmitting to them, like if you happen to launch your Facebook app and it authenticates, or if your iPhone is pinging the email server for new mail, or if you've logged into your bank's app for a transaction, you're basically routing all requests through them, where they could be tunneling it through another server to the respective service, all transparently. But while it's going through that proxy, they could be logging all that information quietly for their nefarious purposes.
If NOT cheating a lot of starving, aspiring developers out of chump change they're trying to earn enough to get out of their 9-to-5 jobs, or just to maintain a living for themselves and their families, perhaps the reasons above could dissuade you as well.

bluebirddaze
Jul 13, 2012, 12:43 PM
Wow...just another form of theft. I hope Apple closes this door ASAP. Not that I dont like free stuff, but this theft of developers hard work. I really feel this is counterproductive and in the long run bad for the Apple ecosystem. These forms of theft should be left for the jailbreakers and never reported on for mainstream use.

geoffm33
Jul 13, 2012, 12:47 PM
Wow...just another form of theft. I hope Apple closes this door ASAP. Not that I dont like free stuff, but this theft of developers hard work. I really feel this is counterproductive and in the long run bad for the Apple ecosystem. These forms of theft should be left for the jailbreakers and never reported on for mainstream use.

Do you think all jailbreakers are thieves? :eek:

hayesk
Jul 13, 2012, 01:05 PM
Boom I'm getting my free app's all day long! Who pays for apps? haha

People who think developers deserve to get paid for doing their job. I hope your boss doesn't feel the same way you do.

madfelon
Jul 13, 2012, 01:19 PM
People who think developers deserve to get paid for doing their job. I hope your boss doesn't feel the same way you do.

I just picked up BarMax NY for Ipad, cost 999.99 in store my price free!!!!! :eek:

lordreye
Jul 13, 2012, 01:22 PM
By "obtain content for free", you mean steal. Why would you not call it for what it is?

Jason Garza
Jul 13, 2012, 01:23 PM
I wish this wasn't so risky!

It's like sex, you have to decide if the risks are worth the rewards. How bad do you want it?

ChristIsLORD
Jul 13, 2012, 01:31 PM
I just picked up BarMax NY for Ipad, cost 999.99 in store my price free!!!!! :eek:

Wonderful.

You should be ashamed that you reported this, MR. You could post that the security flaw existed, you did NOT have to mention specific methods and embed a youtube of how to do it. I agree with everyone that says if this garbage was posted in the forum, it would be closed.

I just hope you remove this article instead of moving comments to a thread in the politics forum.

hchung
Jul 13, 2012, 01:42 PM
Closure of me.com account in 3, 2, 1.... disabling of PayPal account in 3, 2, 1... as clever as the guy was to get around the in app purchasing security, he didn't think this through very well :D

Kind of baffling Apple would allow this kind of hack... don't apps use HTTPS to talk to Apple servers? Even if you DNS spoof the address - and this is obviously always possible, if not on the device then in your local router - the software should still find the certificate incorrect. That's the whole reason for the certificate system.

I have been wondering if DNS spoofing would possibly get around HTTPS certificate checks - as in what if I spoof both the receiving server, and the certificate authority server, and bless my own faulty certificates as correct from my own fake cert server.... - but I have to believe they thought of that. Haven't they?

Anyway with Apple's own ironclad security this should be an easy fix.

Apple does use HTTPS. The two profiles that need to be installed onto a phone redirect DNS to a different server and then add a certificate so that the fake server looks real (has a valid cert, since you just installed it).

Now using HTTPS, you have a "secure" connection to a fake IAP server.

Everybody involved in designing this stuff has thought about it because it's just the way HTTPS works because it's the same process as setting up an HTTPS server in the first place. And they expect it to happen. Which is why Apple provides a way for an app to validate purchases. Unless you plan on living on the fake server for life, the app will eventually need to contact the real server do a validation check for all the purchases and decide what to do then.

If the IAP server happens to be used for another vital service, then doing this hack might break that too, further making it harder to stay on a fake server forever.

If you're an app developer and wanna grab some statistics, have a server setup that you can push reciept validation failures to and let us know the results! I'd be interested in hearing about it and I'm sure a lot of others would too.

spartig
Jul 13, 2012, 01:46 PM
Lazy Developers deserve getting shafted...
The articles states that "Developers can prevent the hack from working with their apps by implementing validation of In App Purchase receipts, something many developers have not included in their apps."

So it is the fault of developers not doing things correctly in the first place. I do not feel sorry for them at all.

So with this thinking then you and your family deserve to get robbed and killed. Because you don't hire a private armed security team to watch over you day and night.

Get a clue! Get a life! And stop trying to justify yourself in being a thief!

CJM
Jul 13, 2012, 01:49 PM
No, really? :rolleyes: I said it "looked" scary

The Russians are coming! :rolleyes:

cotak
Jul 13, 2012, 02:39 PM
What's interesting to me isn't so much this story. I expect we'll continue to see more and more security related news from Apple until they finally get serious about their security.

Rather, it's interesting how the majority of the posts on this forum is about whether posting this story was right or wrong. Or about the morality and potential fall out for people who used this hack.

Kinda missing the white elephant in the room there people.

geoffm33
Jul 13, 2012, 02:45 PM
What's interesting to me isn't so much this story. I expect we'll continue to see more and more security related news from Apple until they finally get serious about their security.

Rather, it's interesting how the majority of the posts on this forum is about whether posting this story was right or wrong. Or about the morality and potential fall out for people who used this hack.

Kinda missing the white elephant in the room there people.

Likely because not many of the posters in this thread consider this a security issue, myself included. A security issue would be the ability to download a rogue app from the app store, or someone hijacking your iPhone by visiting a seemingly innocuos site.

This is a loophole that allows the user to bypass the need to purchase in-app upgrades/purchases. With security related issues, the user is the victim. Here, the user is the perpetrator.

Colpeas
Jul 13, 2012, 02:46 PM
According to Borodin, over 30,000 in-app transactions were made through his service, and he netted just $6.78 in PayPal donations to help with his costs.

You can't expect the thieves to pay. Sad true.

tdhurst
Jul 13, 2012, 03:02 PM
How is this okay and why are news sites publicizing it?

It's theft, stealing, infringement, or unauthorized, right?

The dude that created the exploit handed off the site so he didn't go to jail? What a jerk.

----------

What about those that are £34.99, £69.99 & £99.99? I've got no problem paying a few pounds but many developers exploit the freemium model.

THEN DON'T BUY THEIR APPS.

Just because you can't afford it doesn't mean it's okay to steal.

montclaire
Jul 13, 2012, 03:10 PM
His paypal address is @me.com. lol why use apple's email to steel from their developers?

Do you honestly believe he used his own credentials for this address?

firewood
Jul 13, 2012, 03:17 PM
This bypass tool will be a great path to serious financial theft. Once a user starts installing DNS certificates from foreign sites, there's bound to be a bunch of these certificates re-routing DNS for the user's bank password login page to interesting foreign countries. Steal a 99 cent in-app-purchase and get your bank account emptied to Nigeria. Deserved?

CGagnon
Jul 13, 2012, 03:26 PM
As a developer myself, I hope this is a wake-up call to developers (specifically of games), who try to get away with ripping off users. Charging well over $20 for something as meaningless as "coins" that can only be used in the game is a joke. But I'm sure they make tons of money off kids with their parents credit cards.

Makes me want to add ridiculous in-app purchases in my apps just to see how dump people really are.

MacinDoc
Jul 13, 2012, 03:33 PM
How is this okay and why are news sites publicizing it?

It's theft, stealing, infringement, or unauthorized, right?

The dude that created the exploit handed off the site so he didn't go to jail? What a jerk.

----------



THEN DON'T BUY THEIR APPS.

Just because you can't afford it doesn't mean it's okay to steal.
Exactly, this guy is publicly distributing tools for theft, and promoting them for exactly that purpose. But of course such a scumbag would be too cowardly to take responsibility for his actions. Hopefully the rest of us do take responsible action by not using these tools.

And I agree that no matter how overpriced someone thinks an in-app purchase is, using these tools to generate a receipt for something you didn't purchase is still stealing, just as much as it would be if you robbed Tiffany's and then tried to return the stolen merchandise for a refund using a forged receipt. Just because Tiffany's is overpriced doesn't give anyone the right to steal from them, and the same applies to developers with overpriced in-app purchases (which, BTW, I believe are for the most part overpriced).

StyxMaker
Jul 13, 2012, 03:33 PM
What about those that are £34.99, £69.99 & £99.99? I've got no problem paying a few pounds but many developers exploit the freemium model.

So, you're saying it's ok to steal anything you think is over priced? Awfully convenient morals.

s15119
Jul 13, 2012, 03:34 PM
Why does this site continue to encourage piracy?

faroZ06
Jul 13, 2012, 03:35 PM
Wait, they didn't already have this?? I normally hate piracy, but I like it if people steal FarmCoinz or whatever for those stupid games that want you to pay real money for fake points.

----------

Why does this site continue to encourage piracy?

Do news sites encourage murder when they report murders?

geoffm33
Jul 13, 2012, 03:36 PM
So, you're saying it's ok to steal anything you think is over priced? Awfully convenient morals.

But all they are stealing are bits and bytes, no real products!!!!! :rolleyes:

/sarc

StyxMaker
Jul 13, 2012, 03:36 PM
I wish this wasn't so risky!

Because stealing should be safe?

s15119
Jul 13, 2012, 03:36 PM
how do i give you a downvote?

----------



right, like people don't know how to google search..yeah, it doesn't matter. other sites do so, why would MR post an incomplete article?

because it would be the responsible thing to do.

mabhatter
Jul 13, 2012, 03:53 PM
Thanks MacRumors for posting this on your front page. This is a significant news story and warrants that people who use IOS devices are made aware. Surprising that a few people think that this story should be hidden somewhere.

It is not that significant, because as a user you are not going to use this "accidentally". It's just s free stuff scam.

As a developer, there is some interest because some people are going to take advantage of the IAP... And when these servers go down a bunch of kids are going to cry because they cant reload their stolen content from the PAID developer server.

Cenobite
Jul 13, 2012, 03:54 PM
thenextweb.com did an interview with the "developer" of that hack (link (http://thenextweb.com/apple/2012/07/13/how-a-flaw-in-apples-in-app-purchase-process-enabled-more-than-30000-illegal-virtual-transactions/)). The most important part of the article is this:

[...] which he says gathers no personal information from its users, though those using the hack do transmit their Apple ID and password to the service when using it. That alone should deter any potential users."

staypuffinpc
Jul 13, 2012, 04:18 PM
1 - It generates almost no money (in my experience, anyways.)


Just to counter that argument, I was speaking last Friday with an inside person at Chair and they told me that over half of the revenue generated from the Infinity Blade series has come from IAP. Considering that EPIC games recently declared that the Infinity Blade series has been their most profitable to date, I'd say there is reason to believe that IAP done correctly can be quite profitable.

Just sayin'

koban4max
Jul 13, 2012, 04:21 PM
If app developers have problem with this...well, that's their problem. What? They tried to go around Apple's app system (30% thing) and charge us, the customers, the freakin' in-app for a high price even when many of us buy the full game for whatever price. So, I support this method, but hate the information being sent out.

----------

Just to counter that argument, I was speaking last Friday with an inside person at Chair and they told me that over half of the revenue generated from the Infinity Blade series has come from IAP. Considering that EPIC games recently declared that the Infinity Blade series has been their most profitable to date, I'd say there is reason to believe that IAP done correctly can be quite profitable.

Just sayin'

However, you sound like you support IAP. Others shouldn't be charged with in-app stuff when they purchased the game full price..or full game.

coolfactor
Jul 13, 2012, 04:26 PM
I saw this on 9to5, was kind of hoping you wouldn't post it.

Why? Because you like the idea of what's happening here?

It's good in that it's revealed a weakness in Apple's system.
It's bad because it creates a false sense of entitlement for users.

----------

I'm disgusted to read that passwords are passed through as cleartext... if that is true, Apple deserves a serious slap on the hand. Purely irresponsible. The password should be securely hashed *on the device* before sent across the wire or over the air.

NewAnger
Jul 13, 2012, 04:44 PM
Did you notify the authorities of this grand theft?

----------


If this hack can obtain your banking info from your phone Apple has a more serious problem here than we thought.

Apple already found about it and chose to do nothing. This was back in October. All they did was suspend the guys real account so he could not buy anything. He has since sold all of his Macs because they banned them also from buying from the iTunes store. He bought new Macs and is now using the store again but honestly this time.

ArtOfWarfare
Jul 13, 2012, 05:12 PM
If app developers have problem with this...well, that's their problem. What? They tried to go around Apple's app system (30% thing)

You don't know what you're talking about.

Firstly, the system used for In-App Purchases is provided by Apple (note the fact that you can view the most common in-app purchases for an app directly from the app's page on the app store. Additionally, in-app purchases factor into an app's ranking on the top grossing chart.)

Secondly, Apple charges developers 30% for any in-app purchases, as well.

Thirdly, Apple forbids developers from including links in their app that take users to pages outside the app that allow additional content. (That's why, for example, you can't sign up for a subscription to Netflix directly from Netflix's app.)

and charge us, the customers, the freakin' in-app for a high price even when many of us buy the full game for whatever price. So, I support this method, but hate the information being sent out.[COLOR="#808080"]

iOS users spend a little over $4 each month on apps
SOURCE: http://gigaom.com/apple/how-much-did-you-spend-on-apps-this-year/

In what world is $4 the full price for a full game? Last time I checked, full games cost at least $20 if you want to buy it in a retail store. Fact of the matter is, most users don't pay a "high price" for a "full game".

To supplement that small income (and it is small. I could easily make more money at McDonald's rather than working as an independent developer. I do it because I love it. Also because I just got hired to do it for a lot more than I was making when I did it alone) developers offer In-App purchases. A few extra colors in Draw Something are by no means an essential feature. You can play the game without them. Asking for a measly... what is it, $2 for a pack of 5 colors... seems perfectly reasonable to me.

Personally, I'm planning to sell a game guide for my next game for $3, for a $7 game. I think it's perfectly reasonable... physical game guides generally cost $20 for a $50 game.

StyxMaker
Jul 13, 2012, 05:16 PM
And most of us don't. Doesn't change the fact. If you have kids, you will soon realize that you might not be the one who wants to have Farmville cash - or what ever that is called. (I don't have Farmville.) Just for software updates, teenage kids might have the iTunes password of their parents - and of course, it is the same account because you don't want to pay for content several times.

It really doesn't matter who 'wants' the product, if it costs too much don't buy it. You can't tell your kids 'no' when they want something?

3dflyboy1
Jul 13, 2012, 05:18 PM
This is one of the first things I did after jailbreaking. Call it "theft" if you like, but it's petty digital content (in contrast with music, books, movies, etc.), and the developers are dirty rotten scumbags for putting this kind of thing in apps. Especially if I've already paid for the stinkin' app!

netkas
Jul 13, 2012, 05:22 PM
If receipt validation is done on client device - receipt can be faked too, as the process uses https connection to apple servers too. Just to fake one more https answer, and need to know inapp names.

But, if you were smart enough to make server-side receipt check on your server (which cannot be dns spoofed) and secure connection to your server from your client app, then you aRe fine. Or having user's purchase history/balance saved on your server is fine too.

Anyway, if you were smart enough to implement a proper server-side receipt check(as I did) then you are not affected by this in any way, otherwise you are dumb developer and getting your lesson right now.

psingh01
Jul 13, 2012, 05:43 PM
Save a couple bucks and you wind up giving the hacker your userid and password.

planetawesum
Jul 13, 2012, 06:21 PM
Im so over paying suffrage controlled by sociopaths for technology raped from our collective earth. Supporting middlemen/ economic terrorists is irresponsible, unsustainable. Everything will be free eventually when we grow up out of this dark age mess of immaturity and inefficiency. So we might as well get used to sharing. Sharing is caring <3 Good technology/ software is a joint venture, and our right as humans to use. The internet is a collective project. Everyone has contributed. We all use it now. It isn't free cause we haven't made it free for all. Why not? cause we're still in slave mode. Traumatized. Spineless. This fellow isn't stealing. Property is theft and theft is property. They are stealing from him and he is reclaiming what's his, what's all of ours. Apple gets rich off not paying the people that construct it's products the wage they deserve (profit share) and making it's "consumers" pay too much for it's products (price markup).

Is this ok with you all that actually know about thievery, i mean business/ economics? Who are you protecting, apple? haa.. Devs aren't getting rich for sure. I don't check apple forums much anymore but i have noticed apples' costumer service department getting much less customer friendly. The core people that keep apple going that is. Where's my profit share?

applesith
Jul 13, 2012, 06:29 PM
Do you honestly believe he used his own credentials for this address?

Who cares. Out of all the emails to choose. Go with yahoo. It's easy to do shady stuff from there.

firewood
Jul 13, 2012, 06:51 PM
What about those that are £34.99, £69.99 & £99.99? I've got no problem paying a few pounds but many developers exploit the freemium model.

A developer can't exploit a single user who knows those berrydots (or whatever) are NOT worth their silly price, and just stops playing their stupid little app. Consider those freemium items a excellent tax on stupidity and a wasted life.

KPOM
Jul 13, 2012, 06:53 PM
Property is theft and theft is property.

Without property rights, all other rights are meaningless.

Justim
Jul 13, 2012, 07:08 PM
What about those that are £34.99, £69.99 & £99.99? I've got no problem paying a few pounds but many developers exploit the freemium model.

Thank you! One thing I love about the app store is that developers can easily provide apps while cutting down on cost of advertising. While there are hackers, few are able to penetrate into the app store. This results in lower priced software. I think apps over $9.99 should be approved through Apple under a fair and reasonable pricing negotiation. In-app purchases should be covered under the same standards. A specific example are games that charge $49.99+ for "coins" or "tokens". This is unreasonable. These purchases add no extra features for the app and should be emlinated. Most current in-app purchases are stifling innovation. The developers are simply looking for more money, and it's unfair. These purchases are too tempting and deploy what I like to call a "casino effect" where you pay your money and get nothing more than a few fun hours out of the app.

Apart from the consumers that understand how these things work, most blindly pay money for relatively nothing.

I know I'm a bit of an extremist. But I'd be willing to meet in the middle.

On a different note, I wish Apple would drop support for iPhone apps on the iPad with iOS 6. These apps look terrible. It may force developers to release an iPad version. But that's a different subject entirely.

Swordylove
Jul 13, 2012, 07:12 PM
Passwords sent in plain text?? :eek: :mad:
Unacceptable. If not for this Russian hacker, we wouldn't have known about this. I'd like to thank him for that.

troop231
Jul 13, 2012, 07:53 PM
The Russians are coming! :rolleyes:

What? It makes no sense that the dialog and the right "Like" button are in English, but the left Cancel one is in Russian..

dazed
Jul 13, 2012, 09:27 PM
Agreed that some in app purchases are a big con but then the best way to combat this is to simple not buy them. This will send a message to the developers that we won't put up with their crap.

All this hack does is hurt the honest developers.

Hawkeye411
Jul 14, 2012, 12:31 AM
Works great!!! Thanks!!!

Rocketman
Jul 14, 2012, 12:59 AM
I think it is kinda cool someone without malicious intent did this first (if it even is the first), then made it as widely public as possible, even giving interviews. It will help Apple to plug this hole and also to think along these lines for other issues.

Rocketman

samdev
Jul 14, 2012, 07:20 AM
Whenever you make an IAP purchase, your Apple ID and password is sent.

So, if you use this hack, you will have a truckload of Russian hackers logging into your Apple account
in the next few days. Great.

I don't think a lot of people will be reading the instructions too closely om this hack.
All they see is FREE COINS, FREE COINS!

hogo
Jul 14, 2012, 08:35 AM
Whenever you make an IAP purchase, your Apple ID and password is sent.

So, if you use this hack, you will have a truckload of Russian hackers logging into your Apple account
in the next few days. Great.

I don't think a lot of people will be reading the instructions too closely om this hack.
All they see is FREE COINS, FREE COINS!

Unless you immediately change your password after(stealing) shopping.

gnasher729
Jul 14, 2012, 08:43 AM
Works great!!! Thanks!!!

I thought a little bit about how this hack works. And while I don't know whether this hacker intended to defraud only app developers, or if he intended to defraud gullible users as well, it is quite obvious that this hack opens users like Hawkeye411 to massive fraud.

Here's what the hack does (not technically accurate, but the principle is correct): Whenever a user wants to do an in-app purchase, the in-app purchase code on your iPhone or iPad talks to a server at Apple, lets say at inapppurchases.apple.com. As a user, you modified settings on your device so that all web traffic to inapppurchases.apple.com goes to inapppurchases.russianhackers.com instead. However, that wouldn't just work, because your device wants a certificate for "inapppurchases.apple.com", and only Apple can produce this. Here's where the second step comes in: The user also modifies their certificate store, so that any certificate issued by www,russianhackers.com is automatically trusted.

Now you are wide open to fraud: First, your Apple ID and password are sent. Normally, they would be sent to inapppurchases.apple.com, safely encrypted with a key that only Apple has, so only Apple can read them. But now they are sent to inapppurchases.russianhackers.com, safely encrypted with a key that only the russian hackers have, so only they can read it... I guess you see what the problem is.

Another problem is that your device has now been changed to trust anyhing with a certificate created by www,russianhackers.com. So if you go to the Amazon website, or your banks website, then someone can redirect your web traffic to go to a fake site (which is difficult, but not impossible), and if that fake site has a certificate that says "this is www,amazon.com, signed by: www.russianhackers.com", then your device will trust that fake site!

So hawkeye, enjoy as long as there is money in your bank account. :eek:


This is one of the first things I did after jailbreaking. Call it "theft" if you like, but it's petty digital content (in contrast with music, books, movies, etc.), and the developers are dirty rotten scumbags for putting this kind of thing in apps. Especially if I've already paid for the stinkin' app!

-10 downvote. Think very, very hard about who are the dirty rotten scumbags here. And nobody will cry any tears for you if your bank account is emptied.


According to [developer Marco] Tabini, though, “Apple presumes it’s talking to its own server with a valid security certificate.” But that was clearly a mistake—“This is entirely Apple’s fault,” Tabini added.

No, Marco. If a user is dishonest enough to try to get in-app purchases for free, and stupid enough to install certificates from an unknown hacker, then they only get what they deserve. The Apple ID and password are sent safely to the intended recipient, and nobody but the intended recipient can read them. It's not Apple's fault if a user redirects the data to some hacker.

sonovale
Jul 14, 2012, 09:06 AM
So we should discover and implement anti hack policy.:p

samdev
Jul 14, 2012, 09:14 AM
Unless you immediately change your password after(stealing) shopping.

So, you think you can out-smart the Russian hacker by giving them a fake Apple ID and password?
Lol. You're still installing some untrusted certificates. Who knows what worms that will open.

blueroom
Jul 14, 2012, 09:36 AM
Do you think all jailbreakers are thieves? :eek:

I think all installous users are thieves.

NewAnger
Jul 14, 2012, 09:42 AM
I think all installous users are thieves.

There is one truly good usage for installous. There was a time when I was using an original iPhone and accidentally upgraded an app which no longer gave support to 3.1.3 which I think the original iPhone ran that last time I owned one. Of course that app no longer would run on the original and I no longer had the version that would so I would go and grab the old version that last ran on the iOS version. In that case, I was not a thief, just wanting an app version that would still run on my old original iPhone.

Colpeas
Jul 14, 2012, 09:47 AM
Macworld also chatted with Borodin, who noted that he can indeed see users' App Store account names and passwords, as they are transmitted in clear text as part of the In App Purchase process.

Easy fix - set up a brand new free iTunes Account and use that one instead for in-app "purchasing". No one will be then able to obtain your real information.

Sixtafoua
Jul 14, 2012, 09:52 AM
I'm all for jailbreaking and customizing your device to make it your own, but when it comes to stealing from developers, that's where you have to draw the line.

B777Forevar
Jul 14, 2012, 10:10 AM
Why am I not surprised something like this comes out of Russia?

Fruit Cake
Jul 14, 2012, 10:54 AM
In soviet Russia, you don't download app, app downloads you!

tdhurst
Jul 14, 2012, 12:03 PM
Wait, they didn't already have this?? I normally hate piracy, but I like it if people steal FarmCoinz or whatever for those stupid games that want you to pay real money for fake points.

----------



Do news sites encourage murder when they report murders?

No, but they don't publish step by step instructions on how to get away with murdering people.

faroZ06
Jul 14, 2012, 02:26 PM
No, but they don't publish step by step instructions on how to get away with murdering people.

They typically do explain how the criminal committed the crime if they have details on it.

Cod3rror
Jul 14, 2012, 04:11 PM
I don't support this, but I hate in-app purchasing, it's a good for developers to nickel and dime users. I payed for the app right? Give me a full version.

koban4max
Jul 14, 2012, 06:08 PM
You don't know what you're talking about.

Firstly, the system used for In-App Purchases is provided by Apple (note the fact that you can view the most common in-app purchases for an app directly from the app's page on the app store. Additionally, in-app purchases factor into an app's ranking on the top grossing chart.)

Secondly, Apple charges developers 30% for any in-app purchases, as well.

Thirdly, Apple forbids developers from including links in their app that take users to pages outside the app that allow additional content. (That's why, for example, you can't sign up for a subscription to Netflix directly from Netflix's app.)




SOURCE: http://gigaom.com/apple/how-much-did-you-spend-on-apps-this-year/

In what world is $4 the full price for a full game? Last time I checked, full games cost at least $20 if you want to buy it in a retail store. Fact of the matter is, most users don't pay a "high price" for a "full game".

To supplement that small income (and it is small. I could easily make more money at McDonald's rather than working as an independent developer. I do it because I love it. Also because I just got hired to do it for a lot more than I was making when I did it alone) developers offer In-App purchases. A few extra colors in Draw Something are by no means an essential feature. You can play the game without them. Asking for a measly... what is it, $2 for a pack of 5 colors... seems perfectly reasonable to me.

Personally, I'm planning to sell a game guide for my next game for $3, for a $7 game. I think it's perfectly reasonable... physical game guides generally cost $20 for a $50 game.

If i buy a game..I expect the apps not to be selling me in-app crap. Secondly, regardless how much the app cost..it's still money.

lifeinhd
Jul 14, 2012, 06:51 PM
Why? Because you like the idea of what's happening here?

It's good in that it's revealed a weakness in Apple's system.
It's bad because it creates a false sense of entitlement for users.

Realistically, which do you think there will be more of as a result of this article being published, developers getting rid of in-app purchases or consumers stealing in-app content?

macaaronb
Jul 15, 2012, 01:12 AM
Realistically, which do you think there will be more of as a result of this article being published, developers getting rid of in-app purchases or consumers stealing in-app content?

If you read the last couple edits, you will see that this hack exposed that Apple sends the App Store username and passwords in clear text to its servers, so similar hacks to this could be used for more malicious purposes, exploiting an inherent security flaw of iOS. Then the last edit, Apple acknowledges the hack and is working to re-ensure security. It's good that this hack was released because now it forces Apple to fix that.. just lucky that this hacker who discovered the security flaw didn't intend to steal info from users

lifeinhd
Jul 15, 2012, 10:16 AM
If you read the last couple edits, you will see that this hack exposed that Apple sends the App Store username and passwords in clear text to its servers, so similar hacks to this could be used for more malicious purposes, exploiting an inherent security flaw of iOS. Then the last edit, Apple acknowledges the hack and is working to re-ensure security. It's good that this hack was released because now it forces Apple to fix that.. just lucky that this hacker who discovered the security flaw didn't intend to steal info from users

That's beside the point. This security flaw could have been reported directly to Apple and quietly fixed without every site running a story on how you can now steal in-app purchases.

NewAnger
Jul 15, 2012, 10:37 AM
That's beside the point. This security flaw could have been reported directly to Apple and quietly fixed without every site running a story on how you can now steal in-app purchases.

Sometimes going public with these flaws is what it takes to get Apple to do something about it. Remember several years ago with the Safari bug on the original iPhone? It took a hacker threatening to publish how to use the exploit to gain access to anyone else's iPhone to get Apple to fix the flaw.

gnasher729
Jul 15, 2012, 01:32 PM
If you read the last couple edits, you will see that this hack exposed that Apple sends the App Store username and passwords in clear text to its servers, so similar hacks to this could be used for more malicious purposes, exploiting an inherent security flaw of iOS.

That is actually quite incorrect. The Apple ID and password are _not_ sent in cleartext. They are sent over an https connection, with practically unbreakable encryption. Only the intended recipient is able to read the Apple ID and password.

If some idiots redirect traffic aimed at Apple to some russian hacker, _and_ then commit the incredible stupidity to install a certificate so that the russian hacker site is trusted even though it doesn't have the right credentials, then only the intended recipient can read the Apple ID and password - and due to total stupidity of the user, the intended recipient is a russian hacker.


Easy fix - set up a brand new free iTunes Account and use that one instead for in-app "purchasing". No one will be then able to obtain your real information.

The user has installed a certificate on their iDevice which represents a massive security hole. A simple DNS attack now makes it possible for a hacker with access to this certificate to hack into any communication with any secure website. (Normally, if a hacker redirected traffic intended for your bank to their own website, they wouldn't be able to present your computer with a legal certificate for the bank. But now they can).

TunesFan
Jul 15, 2012, 08:13 PM
Device security may be tops but speaking in terms of their own store security, it just plain sucks. I posted something in this thread on how someone I know was able to open hundreds of accounts and buy $4700 in HD downloads and in app purchases using prepaid debit cards and numerous iPhones and not pay a dime of that $4700.

When Apple did find out about these accounts, they never did a thing to try to collect that debt.

New to these forums and look forward to many

Not yet anyway....

Remember me from AppleDiscussions? I'm pretty sure you do. You're that guy who called me a troll; at least I don't visit multiple forums to post the same redundant tales of legendary fraud....Your friend and anyone else who decides to openly commit fraud against Apple is not being ignored by Apple. Also, this isnt an Apple problem--it's a user problem.

A user decides to manipulate iOS software to steal. The iOS software is just fine, it's the dirtbag adding files to redirect who is the problem.

My car radio was awesome until I wanted more bass. I installed a huge speakerbox and a reciver a dude made out of an old h.a.m radio that promised constant Snoop. Also, I gave the dude a copy of my car keys and the title 'cause he said he offered roadside assistance and could remotely provide Sirius. Now my radio is perma-tuned to an oldies station and my ears ooze prune juice. My car disappeared last week and was found in a lake yesterday.....Ford really needs to take care of this!!!! I can't believe they let that happen.

PS. I can't wait to come across a post of yours one day to find that your buddy got what he deserved.

PracticalMac
Jul 16, 2012, 08:09 AM
Video removed, "Apple claims Copyright infringement"

"Copyright infringement"?

I hope it was the only option Apple had to pull video and not actual reason! ;)

MikeBRich
Jul 19, 2012, 03:46 AM
Video removed, "Apple claims Copyright infringement"

"Copyright infringement"?

I hope it was the only option Apple had to pull video and not actual reason! ;)

here's working tutorial, still working hahaha http://forums.macorg.net/threads/russian-hacker-zond80-hacked-app-store.43/