Feeds

back to article Security fail for Apple as hacker cracks iOS in-app purchasing

A Russian hacker claims to have found a way to crack the in-app purchasing mechanism used in iOS so that users can get free content in a variety of applications. The hacker, dubbed ZonD80, posted a video of the crack on YouTube and claims that the technique makes it possible to beat Apple's payment systems by installing a couple …

COMMENTS

This topic is closed for new posts.

"ZonD80 is now asking for donations to set up a website to promote the hack."

What a douchebag. It's because of people like him that security researchers while a shred of decency get sued when disclosing a vulnerability in a private and constructive manner.

16
13
Silver badge
Holmes

Hah!

If you think that security researchers get sued because of "douchebags like that", be advised: They get sued because shutting someone up is easier than admitting fault and fixing things. "Irreparable harm to the company's ring muscle and the president's golden balls etc. etc."

26
3
Anonymous Coward

He may have another income stream in mind since he now says:

"Forth. I did not steal or collect any passwords. For now, logging is total disabled."

Even now, take his word at your peril.

4
1
Holmes

"ZonD80 is now asking for donations to set up a website to promote the hack."

ZonD80's reasoning: Why give your money to legitimate developers when you can give it to Russian hackers?

32
0
Facepalm

Re: "ZonD80 is now asking for donations to set up a website to promote the hack."

I myself see nothing wrong with giving my credit card details to a Russian hacker, I mean what could go wrong with that. It's a plausibly safe thing to do.

9
0
Silver badge
FAIL

all I can think of

""Why you must to pay for content, already included in purchased app? I think, you must not," he said.

Whenever I hear a Russian butcher the English language I can only think of one phrase, You're Winner!.

3
4
Joke

Re: all I can think of

You're Winner !

0
0
Bronze badge

Re: all I can think of

A bit harsh.

Russian is a very different language from English, it has a different word order and rules, different alphabet no word for 'the' or 'a' and no present tense of the verb to be.

He's not doing too badly, when you know that. (Certainly much better than Google translate, and definitely better than I could do in the opposite direction.)

18
1
Silver badge

Re: all I can think of

""Why you must to pay for content, already included in purchased app? I think, you must not."

Ah, the logic of the pirate never more clearly put. Doesn't matter what you agree to, doesn't matter what the people who create the work want to sell it for work for or how, ZonD80 "thinks you must not".

11
4

Re: all I can think of

Whenever *I* hear of a Russian Butcher, all I can think of is that I'm just about to find the star that fell on the cathedral....

2
0

Re: all I can think of

and no present tense of the verb to be

My Russian is rusty and overall bad but that's a common misconception. There is such verb -- есть, it's just usually skipped unless it means 'have'. Yes, it's the same verb that means "I am" and "I have". And even Russian is not the single language to have the same verb for 'to be' and 'to have'

Reference: http://en.wiktionary.org/wiki/есть

1
1
Bronze badge

Re: all I can think of

Есть means "there is" (also to eat). (Ref. Natasha Bershadski)

2
0

Re: all I can think of

Also means "to have" and "to be. I see I have not copied the hash in the URL, so scroll down. I am quite sure about too, I can actually speak Russian. - http://en.wiktionary.org/wiki/%D0%B5%D1%81%D1%82%D1%8C#Etymology_2

0
0
Bronze badge

Re: all I can think of

It doesn't *exactly* mean "to have" because the equivalent of "I have" is formed along the lines of "with me there is"

However I think you are trying to make too direct mapping between the languages, which is the point I originally made.

0
0
Silver badge

Re: all I can think of

My russian is basic but I thought "I have" was "oo meenya" , literally "by me"?

0
0
FAIL

Security Fail

For anyone who thinks giving a Russian guy with very low morals when it comes to allocation of funds their username, password and potentially payment info!

11
0
Anonymous Coward

It's worse than that.

For this hack to work, you have to hand over complete control of your DNS resolution to a server under the hacker's control.

Yeah, that'll end well.

13
0

This post has been deleted by its author

Anonymous Coward

Harms the freemium game market

Harms the freemium game market

How selfish - a number of apps are free or are cheap given the production costs as they rely on users paying (not a lot) for content when they enjoy a game and feel like investing more than time. This hack will mainly harm the investment of freemium developers or put many small developers out of business. I can't see Apple allowing that to happen for long.

11
0

Re: Harms the freemium game market

Freemium? What you mean those free games aimed at children, which entice your child to hand over the GDP of a Central American country, for a few pointless virtual trinkets? The apps which only continue to make money because people don't know (how) to make there App Store settings sane before handing their phone over to a child?

Android recently had a colouring game that was a great example of the worst sort of freemium. Appears that most/all platforms are afflicted.

BTW, I wouldn't use, recommend or condone the use of this crack, for many reasons. However, if it kills the freemium model, that has to be good.

6
6
Anonymous Coward

Re: Harms the freemium game market

Yeah because you work for free?

0
0

This post has been deleted by its author

Anonymous Coward

The whole thing seems to be breaking into pieces already, his server having been blocked from Apple's servers so it's already more complicated to setup.

His Paypal account has been blocked as well so he's down to accepting Bitcoins. I guess his Blogger account will be next.

Not to mention the huge dumb move that is accepting this guy's root security certificate.

It's all a bit pathetic, especially since most apps are available cracked.

5
0
jai
Silver badge

apparently 30,000 people have given him their usernames and passwords via this method, but he's only gotten less than $7 in paypal donations.

turns out, the kind of people who want to get free in-app purchases by any means aren't all that generous towards the hackers that help them either. who'da thought it?

http://www.macrumors.com/2012/07/13/hacker-releases-tools-for-bypassing-apples-in-app-purchase-mechanism/

7
0

Good logic, jai

I can add another point of logic:

The kind of people who think it's OK to steal in-app content, and will go so far as to provide their itunes information (if it's even theirs) to a stranger in order to do so, are not going to ever purchase any in-app content.

So as a developer, I can tell you, I couldn't care less that these people do what they do--they weren't going to buy anything from my apps anyway.

1
0
Anonymous Coward

Legality of the video

Is publishing that video legal? According to the UK Copyright act of 1988 a copyright owner has rights against a person "publishes information intended to enable or assist persons to circumvent that form of copy-protection,"

http://www.legislation.gov.uk/ukpga/1988/48/part/VII/enacted?timeline=true

Or has this changed?

1
0
Bronze badge

Re: Legality of the video

Copy protection doesn't apply here. The software is legally downloaded from the app store. A method of breaking copy protection to allow an illegal copy to be made is not being suggested.

2
0
Anonymous Coward

Re: Legality of the video

I don't think that's true.

For example in the case of cable/sat DVRs (e.g. from Sky) they are full of legally obtained content, but it's not legal to publish information on how to circumvent the encryption and play that content without a valid subscription.

0
0
Bronze badge

Re: Legality of the video

Do you mean publishing the link to the video?

Since it is Russian, and unlike us, they take their sovereignty seriously, our law won't apply there.

You might be confusing the situation with the situation here, where if you commit an act that is a crime in the US but not, here you get extradited.

10
0
Anonymous Coward

Re: Legality of the video

Actually since the video was hosted in the US, it's Russian laws that don't apply.

As for this article, the video was embedded, not linked, in a UK publication, so surely UK law regarding publishing applies.

Anyway it's all rather moot now, the video was removed under US law.

0
0
Anonymous Coward

Re: sovereignty

> Since it is Russian, and unlike us, they take their sovereignty seriously, our law won't apply there.

Its just our laws they don't take seriously.

Polonium tea anyone?

0
0

They're not fully hacked. If you validade your IAP receipts (as you should) then this hack won't work.

1
0
Meh

Hacking? You call this hacking?

If it's client based authorization, i.e. asking apple if something has been bought - it's only normal to be able to "hack", no much security can save the case.

If the application relies on the server (3rd party) to provide content then the hacking won't be viable. I really see no news here.

According to Borodin, only developers using their own servers to verify in-app purchases are able to dodge the hack.

I found that quote a bit later - and it has always been known to be the case. It's not possible to reliable authenticate anything without a 3rd party doing the authentication That's why there are root certs.

As a last note: If Apple is willing to sign explicitly all transaction tickets responses with a private key, then it will work. SSL alone can be fooled by root cert installation but an explicit offline public key - not so much.

1
0
Silver badge
Stop

Re: Hacking? You call this hacking?

SSL proxy man-in-the middle will still defeat SSL as long as the chain is correct. IIS has been doing this for years in corporate proxies.

0
0

This post has been deleted by its author

Bronze badge
Windows

Blocked for me...(UTC+2 - Finland)

Tried to watch the video in the article, I get this most frightening mouthful....

""In-appstore.comGet in-app" video ei ole enää käytettävissä käyttäjän Apple, inc tekemän tekijänoikeus vaatimuksen vuoksi."

Which means (had to use Google Translate, can't be bothered to fathom it out, but you'll get the drift...)

"In-appstore.comGet in-app" the video is no longer available to the user of Apple, inc copyright claim by reason."

0
0

Re: Blocked for me...(UTC+2 - Finland)

Finland is UTC+3 now, daylight savings applied (just telling)

0
0
Anonymous Coward

His intention is to profit from this, any legitimate security researcher would have passed on the information.

iOS is locked down quite a lot, this just results in it being even more strictly controlled. This sort of stupid exploit is counter-productive.

2
0
Anonymous Coward

Completely agree, at least before we could add our root certificate and unencrypt SSL traffic to and from Apple for debugging or just to check there was nothing extra going on.

Sounds like the fix will break this ability.

2
0
Anonymous Coward

Apple claims copyright on method?

The video describing the method has been removed by Apple. Are other sites with the video?

0
1
h3
Bronze badge

Freenium is bulls*ht anything that destroys that business model is for the greater good.

(Compared to a Sega or Square Enix classic the quality is dire - The humble Android bundles have content that is fairly mediocre but you get allot for even the average price - Freenium is totally and utterly dire. (Zen Pinball I suppose is ok one free table and you pay for more but not micro transactions or adware).

0
2
Anonymous Coward

What's wrong with giving the game away and paying if you like it - I'd rather than that PAY for the game then realise it's a bag of crap. I'm sure people can get carried away and keep buying upgrades / gems etc. but they are not being 'forced' to.

0
0
Anonymous Coward

Tell that to games like ...

Tribes Ascend or Blacklight: Revolution

It maybe however be that Freemium is a bad choice for Mobile applications, but I don't purchase apps for my mobile.

0
0

This post has been deleted by its author

"Developers could be seriously out of pocket"

How exactly will this happen ? So thousands of people who WERE going to buy apps will now use this crack to buy their apps before Apple close the loophole ?

What a nonsensical proposition.

2
0
Facepalm

WCPGW?

I'll trust his cert, change my IP and give him my username and password.

I mean, what could possibly go wrong?

0
0
Anonymous Coward

Sounds like lazy developers who do not bother to ensure they are calling back to validate the transaction with Apple's servers.

If you want to hand over your DNS resolution etc. to some Russian hackers please accept everything you deserve - probably much more than the £0.59 you saved on buying the game legitimately.

0
1

Not lazy, just with proper priorities

Why should I spend time, effort and server resources to set up a verification server when I can use my time and skill to make my app better? Or to make new apps?

As has been pointed out by many, these folks weren't going to buy content anyway.

So don't call me lazy.

0
0
This topic is closed for new posts.