Hacker Releases Tools for Bypassing Apple's In App Purchase Mechanism [Updated]

[BassPlayer]

Personally, I believe any one who wants to utilize this exploit, should. Load it up and get all the coins, extra levels and whatever you can get. Because when your bank account is zeroed out by the hacker(s), you can go cry to no one. Hopefully that'll be a hard lesson learned.

It's the same as falling victim to a trojan horse loaded in a torrent of the Beatles discography you downloaded. You get what you deserve.

 

[0311947]

Like all other CRIMES, one day piracy will be eliminated through the free market

With so many ways to obtain free software - be it GNU, Open-Source, Shareware, demos, trials, promotions - it is amazing that people still find a justification for piracy. Not to mention educational and workplace discounts abound. As for media like TV, movies, and music - the media companies go out of their way to give us free content, G-d forbid there is some advertising so they can pay to host their servers or pay the content creators.

 

[jclardy]

So this guy who is encouraging people not to pay for software wants people to donate money to him?

I feel his plan was not well thought out.

 

[KPOM]

To inform people that there's a vulnerability in the App Store, it was in fact exploited, and warn people about the possible dangers of trying to use the hack. Millions of people use iOS and the App Store daily. Seems to me like more than valid reasons to report on it.

Report it, yes, but don't spread links.

 

[WestonHarvey1]

And most of us don't. Doesn't change the fact. If you have kids, you will soon realize that you might not be the one who wants to have Farmville cash - or what ever that is called. (I don't have Farmville.) Just for software updates, teenage kids might have the iTunes password of their parents - and of course, it is the same account because you don't want to pay for content several times.

I don't know. I have some confidence in my abilities to discipline my son. I didn't spend all my parent's money when I was a kid. I realize it's easier to blow money now but that doesn't make it an insurmountable task.

 

[Shrink]

Thank goodness! Paying a whole $0.99 for a quality app and supporting developers and not being a dirtbag crook was just killing me!

I agree completely. Not having the easy opportunity to steal stuff just keeps me awake at night. Now I can steal apps and money from the developers with ease.

Made my day...

 

[boyd1955]

As 98% of apps are complete rubbish and no better than spam anyway, I'd say this was a good thing ... Though anyone who downloads the crap even for free is little more than a good advertisement for euthanasia really

 

[Winni]

Apple should hurry up and release an update permanently bricking any iDevice that has this installed.

Yessir! And send their owners to Guantanamo for life - with daily waterboarding!

 

[Xenomorph]

With all the money I can save on Smurf Berries, I can finally afford that dream home I've been wanting!!

 

[visor]

not validating receipts?

Developers can prevent the hack from working with their apps by implementing validation of In App Purchase receipts, something many developers have not included in their apps.

Lets face it. Developers not validating their in-app purchases against Apple are not worth paying. It's transaction 101.
Problem is - those who do will not be able to sell anything anymore; plus might get all kind off support questions on why in app purchase does not work... that sucks.

 

[BornAgainMac]

This button looks scary Image

I thought it was a Star Trek app. Klingon for Hello.

 

[Schizoid]

I wonder which story will be left for us to stare at over the weekend!

 

[Mad-B-One]

I don't know. I have some confidence in my abilities to discipline my son. I didn't spend all my parent's money when I was a kid. I realize it's easier to blow money now but that doesn't make it an insurmountable task.

Same here. When I see how other parents are sometimes oblivious to technology and hence the control over what their kids are doing, I think that this is still an issue. My point was simply: We as adults knowing that you have to earn each dollar/pound/euro and you can only spend it once will not buy Farmville cash. Educated and aware parents will make sure that their kids know what the boundaries of their actions are and monitor what they do. Others really don't. Just look how well-spread sexting is: My son will realize early on: If it is not clean enough for my and my wife's eyes, it's better not on his electronic devices - and I won't just trust him - I will diligently check him. Some might see it as intrusion into privacy. It's technically my device, he just borrows it.

 

[the8thark]

Why would you report this on the front page? If it were in the forums it would have been closed instantly.

I am quoting this for truth.
Double standards much?

 

[vsighi]

Sorry to be paranoid but:
How many of these stories include the phrase "Russian Hacker"
Russia has a very active and well documented history of cyber warfare. Estonia and Georgia come to mind as victims when they were confronting Putin's Russia. Also the Putin government has their hands in every profitable enterprise in Russia.

Now consider that one of the largest AntiVirus/Anti-Malware companies in the world is Kaspersky, from Putin's Russia. Not only do they sell their own AntiVirus product but :

From Wikipedia:
The Kaspersky Anti-Virus engine also powers products or solutions by other security vendors, such as Check Point, Bluecoat, Juniper Networks, Sybari (acquired by Microsoft in 2005), Netintelligence, GFI Software, F-Secure, Clearswift, FrontBridge, G-Data, Netasq, Wedge Networks, and others.

Anyone else scared?

So no I won't use any software legitimate or not, from a Russian source, certainly not from "a Russian hacker".

I think all this company's that you mentioned above are doing business with MICROSOFT not Karpersky...Microsoft is the guaranty that all this company will get the service they want...Yeah I'm scared that Apple is creating a beautiful product and some dirt bag CRIMINAL is distorting everything APPLE stands for.

 

[T. Durden]

As a developer, I have to say I'm glad MacRumors has reported this. It's just a final nail in the coffin for IAP, I say.

1 - It generates almost no money (in my experience, anyways.)
2 - It's painfully difficult to implement and test and verify.
And now,
3 - It's hackable.

I had actually been considering making a game guide available as an IAP, but now that I see it's hackable, I'm reconsidering. Maybe I'll make it an iBook instead and advertise it in my game, the same as I'd planned on advertising the IAP?

That couldn't be further from the truth. The top grossing app in the App Store today is 100% due to IAP. It isn't the first time either.

 

[NewAnger]

How did you get to this conclusion? The users have to manipulate their devices to use this exploit. It doesn't make your or my device less secure.

Device security may be tops but speaking in terms of their own store security, it just plain sucks. I posted something in this thread on how someone I know was able to open hundreds of accounts and buy $4700 in HD downloads and in app purchases using prepaid debit cards and numerous iPhones and not pay a dime of that $4700.

When Apple did find out about these accounts, they never did a thing to try to collect that debt.

 

[lifeinhd]

That's when you hit the home button, hold down the game's icon, and delete it, and move on with your life.

*Mentally downvotes*

Fine for a free app, not so good for a paid app.

 

[Eadfrith]

...and I bet your bank account will be cleared out in a few weeks time too.

 

[mabaker]

Okay, I must have read "does not" as "does".

Oops, my bad!

Image

I wish Apple incorporated Ponies in their next Mac OS Xiteration. Just for kicks and differentiation.

 

[ArtOfWarfare]

I'm pretty sure this hack will not work if the app employs Apple's server-side receipt verification. If in your case the game guide was downloaded from a server only after an in-app purchase - rather than being included in the app and then being 'activated' - and the server verified the in-app purchase with Apple, they would be able to carry out the hacked "purchase" but you could simply not allow the download of the guide.

One of my clients has a popular (UK top 50 grossing) app that derives all its income from IAP and we have, in the past, had issues with the jailbreak iap hack, however that hack is defeated by the verification method.

Interesting point, but I don't have the resources (namely money... also expertise,) to set up a server from which IAP may be downloaded.

 

[lkrupp]

I WANT!

Yes, thieves wold want this I suppose. Are you a thief?

 

[spartig]

What about those that are £34.99, £69.99 & £99.99? I've got no problem paying a few pounds but many developers exploit the freemium model.

Exploit! Really? Developers aren't allowed to make a living? Is it wrong for developers to charge for their content? If it's not worth it to you then don't pay for it and live with out it!

 

[atzeX]

Many games have ridiculous in app purchases. Its ludicrous to charge tens of pounds/dollars for a few extra coins.

Then don’t use that games.
It is not up to you to decide if it is "ludicrous" and then just go and steal.

----------

It's just a final nail in the coffin for IAP, I say.
1 - It generates almost no money (in my experience, anyways.)
2 - It's painfully difficult to implement and test and verify.
And now,
3 - It's hackable.

This is totally wrong. You can ask Apple’s servers if the receipt you get is a real buy. We do it that way and have no fraud so far (In fact people try but will not get through)

 

[Sackvillenb]

Crap, well that's not good!