Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Hacker Releases Tools for Bypassing Apple's In App Purchase Mechanism [Updated]

lifeinhd said:
Realistically, which do you think there will be more of as a result of this article being published, developers getting rid of in-app purchases or consumers stealing in-app content?
Click to expand...

If you read the last couple edits, you will see that this hack exposed that Apple sends the App Store username and passwords in clear text to its servers, so similar hacks to this could be used for more malicious purposes, exploiting an inherent security flaw of iOS. Then the last edit, Apple acknowledges the hack and is working to re-ensure security. It's good that this hack was released because now it forces Apple to fix that.. just lucky that this hacker who discovered the security flaw didn't intend to steal info from users
 
macaaronb said:
If you read the last couple edits, you will see that this hack exposed that Apple sends the App Store username and passwords in clear text to its servers, so similar hacks to this could be used for more malicious purposes, exploiting an inherent security flaw of iOS. Then the last edit, Apple acknowledges the hack and is working to re-ensure security. It's good that this hack was released because now it forces Apple to fix that.. just lucky that this hacker who discovered the security flaw didn't intend to steal info from users
Click to expand...

That's beside the point. This security flaw could have been reported directly to Apple and quietly fixed without every site running a story on how you can now steal in-app purchases.
 
lifeinhd said:
That's beside the point. This security flaw could have been reported directly to Apple and quietly fixed without every site running a story on how you can now steal in-app purchases.
Click to expand...

Sometimes going public with these flaws is what it takes to get Apple to do something about it. Remember several years ago with the Safari bug on the original iPhone? It took a hacker threatening to publish how to use the exploit to gain access to anyone else's iPhone to get Apple to fix the flaw.
 
macaaronb said:
If you read the last couple edits, you will see that this hack exposed that Apple sends the App Store username and passwords in clear text to its servers, so similar hacks to this could be used for more malicious purposes, exploiting an inherent security flaw of iOS.
Click to expand...

That is actually quite incorrect. The Apple ID and password are _not_ sent in cleartext. They are sent over an https connection, with practically unbreakable encryption. Only the intended recipient is able to read the Apple ID and password.

If some idiots redirect traffic aimed at Apple to some russian hacker, _and_ then commit the incredible stupidity to install a certificate so that the russian hacker site is trusted even though it doesn't have the right credentials, then only the intended recipient can read the Apple ID and password - and due to total stupidity of the user, the intended recipient is a russian hacker.


Colpeas said:
Easy fix - set up a brand new free iTunes Account and use that one instead for in-app "purchasing". No one will be then able to obtain your real information.
Click to expand...

The user has installed a certificate on their iDevice which represents a massive security hole. A simple DNS attack now makes it possible for a hacker with access to this certificate to hack into any communication with any secure website. (Normally, if a hacker redirected traffic intended for your bank to their own website, they wouldn't be able to present your computer with a legal certificate for the bank. But now they can).
 
Last edited:
NewAnger said:
Device security may be tops but speaking in terms of their own store security, it just plain sucks. I posted something in this thread on how someone I know was able to open hundreds of accounts and buy $4700 in HD downloads and in app purchases using prepaid debit cards and numerous iPhones and not pay a dime of that $4700.

When Apple did find out about these accounts, they never did a thing to try to collect that debt.
Click to expand...

New to these forums and look forward to many

Not yet anyway....

Remember me from AppleDiscussions? I'm pretty sure you do. You're that guy who called me a troll; at least I don't visit multiple forums to post the same redundant tales of legendary fraud....Your friend and anyone else who decides to openly commit fraud against Apple is not being ignored by Apple. Also, this isnt an Apple problem--it's a user problem.

A user decides to manipulate iOS software to steal. The iOS software is just fine, it's the dirtbag adding files to redirect who is the problem.

My car radio was awesome until I wanted more bass. I installed a huge speakerbox and a reciver a dude made out of an old h.a.m radio that promised constant Snoop. Also, I gave the dude a copy of my car keys and the title 'cause he said he offered roadside assistance and could remotely provide Sirius. Now my radio is perma-tuned to an oldies station and my ears ooze prune juice. My car disappeared last week and was found in a lake yesterday.....Ford really needs to take care of this!!!! I can't believe they let that happen.

PS. I can't wait to come across a post of yours one day to find that your buddy got what he deserved.
 
Video removed, "Apple claims Copyright infringement"

"Copyright infringement"?

I hope it was the only option Apple had to pull video and not actual reason! ;)
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back