back to article Security fail for Apple as hacker cracks iOS in-app purchasing

A Russian hacker claims to have found a way to crack the in-app purchasing mechanism used in iOS so that users can get free content in a variety of applications. The hacker, dubbed ZonD80, posted a video of the crack on YouTube and claims that the technique makes it possible to beat Apple's payment systems by installing a …


This topic is closed for new posts.
  1. Benedict

    "ZonD80 is now asking for donations to set up a website to promote the hack."

    What a douchebag. It's because of people like him that security researchers while a shred of decency get sued when disclosing a vulnerability in a private and constructive manner.

    1. Destroy All Monsters Silver badge


      If you think that security researchers get sued because of "douchebags like that", be advised: They get sued because shutting someone up is easier than admitting fault and fixing things. "Irreparable harm to the company's ring muscle and the president's golden balls etc. etc."

    2. Anonymous Coward
      Anonymous Coward

      He may have another income stream in mind since he now says:

      "Forth. I did not steal or collect any passwords. For now, logging is total disabled."

      Even now, take his word at your peril.

  2. Comments are attributed to your handle

    "ZonD80 is now asking for donations to set up a website to promote the hack."

    ZonD80's reasoning: Why give your money to legitimate developers when you can give it to Russian hackers?

    1. Droid on Droid

      Re: "ZonD80 is now asking for donations to set up a website to promote the hack."

      I myself see nothing wrong with giving my credit card details to a Russian hacker, I mean what could go wrong with that. It's a plausibly safe thing to do.

  3. asdf Silver badge

    all I can think of

    ""Why you must to pay for content, already included in purchased app? I think, you must not," he said.

    Whenever I hear a Russian butcher the English language I can only think of one phrase, You're Winner!.

    1. James O'Brien

      Re: all I can think of

      You're Winner !

    2. Jess

      Re: all I can think of

      A bit harsh.

      Russian is a very different language from English, it has a different word order and rules, different alphabet no word for 'the' or 'a' and no present tense of the verb to be.

      He's not doing too badly, when you know that. (Certainly much better than Google translate, and definitely better than I could do in the opposite direction.)

      1. stanimir

        Re: all I can think of

        and no present tense of the verb to be

        My Russian is rusty and overall bad but that's a common misconception. There is such verb -- есть, it's just usually skipped unless it means 'have'. Yes, it's the same verb that means "I am" and "I have". And even Russian is not the single language to have the same verb for 'to be' and 'to have'


        1. Jess

          Re: all I can think of

          Есть means "there is" (also to eat). (Ref. Natasha Bershadski)

          1. stanimir

            Re: all I can think of

            Also means "to have" and "to be. I see I have not copied the hash in the URL, so scroll down. I am quite sure about too, I can actually speak Russian. -

            1. Jess

              Re: all I can think of

              It doesn't *exactly* mean "to have" because the equivalent of "I have" is formed along the lines of "with me there is"

              However I think you are trying to make too direct mapping between the languages, which is the point I originally made.

        2. boltar Silver badge

          Re: all I can think of

          My russian is basic but I thought "I have" was "oo meenya" , literally "by me"?

    3. h4rm0ny

      Re: all I can think of

      ""Why you must to pay for content, already included in purchased app? I think, you must not."

      Ah, the logic of the pirate never more clearly put. Doesn't matter what you agree to, doesn't matter what the people who create the work want to sell it for work for or how, ZonD80 "thinks you must not".

    4. Andy 68

      Re: all I can think of

      Whenever *I* hear of a Russian Butcher, all I can think of is that I'm just about to find the star that fell on the cathedral....

  4. fatchap

    Security Fail

    For anyone who thinks giving a Russian guy with very low morals when it comes to allocation of funds their username, password and potentially payment info!

    1. Anonymous Coward
      Anonymous Coward

      It's worse than that.

      For this hack to work, you have to hand over complete control of your DNS resolution to a server under the hacker's control.

      Yeah, that'll end well.

  5. This post has been deleted by its author

  6. Anonymous Coward
    Anonymous Coward

    Harms the freemium game market

    Harms the freemium game market

    How selfish - a number of apps are free or are cheap given the production costs as they rely on users paying (not a lot) for content when they enjoy a game and feel like investing more than time. This hack will mainly harm the investment of freemium developers or put many small developers out of business. I can't see Apple allowing that to happen for long.

    1. steogede

      Re: Harms the freemium game market

      Freemium? What you mean those free games aimed at children, which entice your child to hand over the GDP of a Central American country, for a few pointless virtual trinkets? The apps which only continue to make money because people don't know (how) to make there App Store settings sane before handing their phone over to a child?

      Android recently had a colouring game that was a great example of the worst sort of freemium. Appears that most/all platforms are afflicted.

      BTW, I wouldn't use, recommend or condone the use of this crack, for many reasons. However, if it kills the freemium model, that has to be good.

      1. Anonymous Coward
        Anonymous Coward

        Re: Harms the freemium game market

        Yeah because you work for free?

        1. This post has been deleted by its author

  7. Anonymous Coward
    Anonymous Coward

    The whole thing seems to be breaking into pieces already, his server having been blocked from Apple's servers so it's already more complicated to setup.

    His Paypal account has been blocked as well so he's down to accepting Bitcoins. I guess his Blogger account will be next.

    Not to mention the huge dumb move that is accepting this guy's root security certificate.

    It's all a bit pathetic, especially since most apps are available cracked.

    1. jai

      apparently 30,000 people have given him their usernames and passwords via this method, but he's only gotten less than $7 in paypal donations.

      turns out, the kind of people who want to get free in-app purchases by any means aren't all that generous towards the hackers that help them either. who'da thought it?

      1. Paul Bruneau

        Good logic, jai

        I can add another point of logic:

        The kind of people who think it's OK to steal in-app content, and will go so far as to provide their itunes information (if it's even theirs) to a stranger in order to do so, are not going to ever purchase any in-app content.

        So as a developer, I can tell you, I couldn't care less that these people do what they do--they weren't going to buy anything from my apps anyway.

  8. Anonymous Coward
    Anonymous Coward

    Legality of the video

    Is publishing that video legal? According to the UK Copyright act of 1988 a copyright owner has rights against a person "publishes information intended to enable or assist persons to circumvent that form of copy-protection,"

    Or has this changed?

    1. the spectacularly refined chap

      Re: Legality of the video

      Copy protection doesn't apply here. The software is legally downloaded from the app store. A method of breaking copy protection to allow an illegal copy to be made is not being suggested.

      1. Anonymous Coward
        Anonymous Coward

        Re: Legality of the video

        I don't think that's true.

        For example in the case of cable/sat DVRs (e.g. from Sky) they are full of legally obtained content, but it's not legal to publish information on how to circumvent the encryption and play that content without a valid subscription.

    2. Jess

      Re: Legality of the video

      Do you mean publishing the link to the video?

      Since it is Russian, and unlike us, they take their sovereignty seriously, our law won't apply there.

      You might be confusing the situation with the situation here, where if you commit an act that is a crime in the US but not, here you get extradited.

      1. Anonymous Coward
        Anonymous Coward

        Re: Legality of the video

        Actually since the video was hosted in the US, it's Russian laws that don't apply.

        As for this article, the video was embedded, not linked, in a UK publication, so surely UK law regarding publishing applies.

        Anyway it's all rather moot now, the video was removed under US law.

      2. Anonymous Coward
        Anonymous Coward

        Re: sovereignty

        > Since it is Russian, and unlike us, they take their sovereignty seriously, our law won't apply there.

        Its just our laws they don't take seriously.

        Polonium tea anyone?

  9. Gary Riches

    They're not fully hacked. If you validade your IAP receipts (as you should) then this hack won't work.

  10. stanimir

    Hacking? You call this hacking?

    If it's client based authorization, i.e. asking apple if something has been bought - it's only normal to be able to "hack", no much security can save the case.

    If the application relies on the server (3rd party) to provide content then the hacking won't be viable. I really see no news here.

    According to Borodin, only developers using their own servers to verify in-app purchases are able to dodge the hack.

    I found that quote a bit later - and it has always been known to be the case. It's not possible to reliable authenticate anything without a 3rd party doing the authentication That's why there are root certs.

    As a last note: If Apple is willing to sign explicitly all transaction tickets responses with a private key, then it will work. SSL alone can be fooled by root cert installation but an explicit offline public key - not so much.

    1. Danny 14 Silver badge

      Re: Hacking? You call this hacking?

      SSL proxy man-in-the middle will still defeat SSL as long as the chain is correct. IIS has been doing this for years in corporate proxies.

  11. This post has been deleted by its author

  12. Andus McCoatover

    Blocked for me...(UTC+2 - Finland)

    Tried to watch the video in the article, I get this most frightening mouthful....

    ""In-appstore.comGet in-app" video ei ole enää käytettävissä käyttäjän Apple, inc tekemän tekijänoikeus vaatimuksen vuoksi."

    Which means (had to use Google Translate, can't be bothered to fathom it out, but you'll get the drift...)

    "In-appstore.comGet in-app" the video is no longer available to the user of Apple, inc copyright claim by reason."

    1. stanimir

      Re: Blocked for me...(UTC+2 - Finland)

      Finland is UTC+3 now, daylight savings applied (just telling)

  13. Anonymous Coward
    Anonymous Coward

    His intention is to profit from this, any legitimate security researcher would have passed on the information.

    iOS is locked down quite a lot, this just results in it being even more strictly controlled. This sort of stupid exploit is counter-productive.

    1. Anonymous Coward
      Anonymous Coward

      Completely agree, at least before we could add our root certificate and unencrypt SSL traffic to and from Apple for debugging or just to check there was nothing extra going on.

      Sounds like the fix will break this ability.

  14. Anonymous Coward
    Anonymous Coward

    Apple claims copyright on method?

    The video describing the method has been removed by Apple. Are other sites with the video?

  15. h3

    Freenium is bulls*ht anything that destroys that business model is for the greater good.

    (Compared to a Sega or Square Enix classic the quality is dire - The humble Android bundles have content that is fairly mediocre but you get allot for even the average price - Freenium is totally and utterly dire. (Zen Pinball I suppose is ok one free table and you pay for more but not micro transactions or adware).

    1. Anonymous Coward
      Anonymous Coward

      What's wrong with giving the game away and paying if you like it - I'd rather than that PAY for the game then realise it's a bag of crap. I'm sure people can get carried away and keep buying upgrades / gems etc. but they are not being 'forced' to.

    2. Anonymous Coward
      Anonymous Coward

      Tell that to games like ...

      Tribes Ascend or Blacklight: Revolution

      It maybe however be that Freemium is a bad choice for Mobile applications, but I don't purchase apps for my mobile.

  16. This post has been deleted by its author

  17. Saoir

    "Developers could be seriously out of pocket"

    How exactly will this happen ? So thousands of people who WERE going to buy apps will now use this crack to buy their apps before Apple close the loophole ?

    What a nonsensical proposition.

  18. Confuciousmobil


    I'll trust his cert, change my IP and give him my username and password.

    I mean, what could possibly go wrong?

  19. Anonymous Coward
    Anonymous Coward

    Sounds like lazy developers who do not bother to ensure they are calling back to validate the transaction with Apple's servers.

    If you want to hand over your DNS resolution etc. to some Russian hackers please accept everything you deserve - probably much more than the £0.59 you saved on buying the game legitimately.

    1. Paul Bruneau

      Not lazy, just with proper priorities

      Why should I spend time, effort and server resources to set up a verification server when I can use my time and skill to make my app better? Or to make new apps?

      As has been pointed out by many, these folks weren't going to buy content anyway.

      So don't call me lazy.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019