A Russian hacker claims to have found a way to crack the in-app purchasing mechanism used in iOS so that users can get free content in a variety of applications. The hacker, dubbed ZonD80, posted a video of the crack on YouTube and claims that the technique makes it possible to beat Apple's payment systems by installing a …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Friday 13th July 2012 21:22 GMT Benedict

"ZonD80 is now asking for donations to set up a website to promote the hack."

What a douchebag. It's because of people like him that security researchers while a shred of decency get sued when disclosing a vulnerability in a private and constructive manner.

16 13
1. Friday 13th July 2012 22:18 GMT Destroy All Monsters
  
  Hah!
  
  If you think that security researchers get sued because of "douchebags like that", be advised: They get sued because shutting someone up is easier than admitting fault and fixing things. "Irreparable harm to the company's ring muscle and the president's golden balls etc. etc."
  
  26 3
2. Saturday 14th July 2012 11:52 GMT Anonymous Coward
  
  He may have another income stream in mind since he now says:
  
  "Forth. I did not steal or collect any passwords. For now, logging is total disabled."
  
  Even now, take his word at your peril.
  
  4 1
Friday 13th July 2012 21:26 GMT Comments are attributed to your handle

"ZonD80 is now asking for donations to set up a website to promote the hack."

ZonD80's reasoning: Why give your money to legitimate developers when you can give it to Russian hackers?

32 0
1. Saturday 14th July 2012 23:38 GMT Droid on Droid
  
  Re: "ZonD80 is now asking for donations to set up a website to promote the hack."
  
  I myself see nothing wrong with giving my credit card details to a Russian hacker, I mean what could go wrong with that. It's a plausibly safe thing to do.
  
  9 0
Friday 13th July 2012 22:14 GMT asdf

all I can think of

""Why you must to pay for content, already included in purchased app? I think, you must not," he said.

Whenever I hear a Russian butcher the English language I can only think of one phrase, You're Winner!.

3 4
1. Friday 13th July 2012 22:45 GMT James O'Brien
  
  Re: all I can think of
  
  You're Winner !
  
  0 0
2. Saturday 14th July 2012 07:48 GMT Jess
  
  Re: all I can think of
  
  A bit harsh.
  
  Russian is a very different language from English, it has a different word order and rules, different alphabet no word for 'the' or 'a' and no present tense of the verb to be.
  
  He's not doing too badly, when you know that. (Certainly much better than Google translate, and definitely better than I could do in the opposite direction.)
  
  18 1
  1. Saturday 14th July 2012 11:55 GMT stanimir
    
    Re: all I can think of
    
    and no present tense of the verb to be
    
    My Russian is rusty and overall bad but that's a common misconception. There is such verb -- есть, it's just usually skipped unless it means 'have'. Yes, it's the same verb that means "I am" and "I have". And even Russian is not the single language to have the same verb for 'to be' and 'to have'
    
    Reference: http://en.wiktionary.org/wiki/есть
    
    1 1
    1. Saturday 14th July 2012 16:27 GMT Jess
      
      Re: all I can think of
      
      Есть means "there is" (also to eat). (Ref. Natasha Bershadski)
      
      2 0
      1. Saturday 14th July 2012 20:06 GMT stanimir
        
        Re: all I can think of
        
        Also means "to have" and "to be. I see I have not copied the hash in the URL, so scroll down. I am quite sure about too, I can actually speak Russian. - http://en.wiktionary.org/wiki/%D0%B5%D1%81%D1%82%D1%8C#Etymology_2
        
        0 0
        
        Saturday 14th July 2012 21:27 GMT Jess
        
        Re: all I can think of
        
        It doesn't *exactly* mean "to have" because the equivalent of "I have" is formed along the lines of "with me there is"
        
        However I think you are trying to make too direct mapping between the languages, which is the point I originally made.
        
        0 0
    2. Monday 16th July 2012 09:50 GMT Anonymous Coward
      
      Re: all I can think of
      
      My russian is basic but I thought "I have" was "oo meenya" , literally "by me"?
      
      0 0
3. Saturday 14th July 2012 10:39 GMT h4rm0ny
  
  Re: all I can think of
  
  ""Why you must to pay for content, already included in purchased app? I think, you must not."
  
  Ah, the logic of the pirate never more clearly put. Doesn't matter what you agree to, doesn't matter what the people who create the work want to sell it for work for or how, ZonD80 "thinks you must not".
  
  11 4
4. Saturday 14th July 2012 11:05 GMT Andy 68
  
  Re: all I can think of
  
  Whenever *I* hear of a Russian Butcher, all I can think of is that I'm just about to find the star that fell on the cathedral....
  
  2 0
Friday 13th July 2012 22:19 GMT fatchap

Security Fail

For anyone who thinks giving a Russian guy with very low morals when it comes to allocation of funds their username, password and potentially payment info!

11 0
1. Saturday 14th July 2012 03:32 GMT Anonymous Coward
  
  It's worse than that.
  
  For this hack to work, you have to hand over complete control of your DNS resolution to a server under the hacker's control.
  
  Yeah, that'll end well.
  
  13 0
This post has been deleted by its author
Friday 13th July 2012 22:33 GMT Anonymous Coward

Harms the freemium game market

Harms the freemium game market

How selfish - a number of apps are free or are cheap given the production costs as they rely on users paying (not a lot) for content when they enjoy a game and feel like investing more than time. This hack will mainly harm the investment of freemium developers or put many small developers out of business. I can't see Apple allowing that to happen for long.

11 0
1. Saturday 14th July 2012 20:41 GMT steogede
  
  Re: Harms the freemium game market
  
  Freemium? What you mean those free games aimed at children, which entice your child to hand over the GDP of a Central American country, for a few pointless virtual trinkets? The apps which only continue to make money because people don't know (how) to make there App Store settings sane before handing their phone over to a child?
  
  Android recently had a colouring game that was a great example of the worst sort of freemium. Appears that most/all platforms are afflicted.
  
  BTW, I wouldn't use, recommend or condone the use of this crack, for many reasons. However, if it kills the freemium model, that has to be good.
  
  6 6
  1. Monday 16th July 2012 10:44 GMT Anonymous Coward
    
    Re: Harms the freemium game market
    
    Yeah because you work for free?
    
    0 0
    1. This post has been deleted by its author
Friday 13th July 2012 23:06 GMT Anonymous Coward

The whole thing seems to be breaking into pieces already, his server having been blocked from Apple's servers so it's already more complicated to setup.

His Paypal account has been blocked as well so he's down to accepting Bitcoins. I guess his Blogger account will be next.

Not to mention the huge dumb move that is accepting this guy's root security certificate.

It's all a bit pathetic, especially since most apps are available cracked.

5 0
1. Saturday 14th July 2012 13:40 GMT jai
  
  apparently 30,000 people have given him their usernames and passwords via this method, but he's only gotten less than $7 in paypal donations.
  
  turns out, the kind of people who want to get free in-app purchases by any means aren't all that generous towards the hackers that help them either. who'da thought it?
  
  http://www.macrumors.com/2012/07/13/hacker-releases-tools-for-bypassing-apples-in-app-purchase-mechanism/
  
  7 0
  1. Monday 16th July 2012 12:29 GMT Paul Bruneau
    
    Good logic, jai
    
    I can add another point of logic:
    
    The kind of people who think it's OK to steal in-app content, and will go so far as to provide their itunes information (if it's even theirs) to a stranger in order to do so, are not going to ever purchase any in-app content.
    
    So as a developer, I can tell you, I couldn't care less that these people do what they do--they weren't going to buy anything from my apps anyway.
    
    1 0
Saturday 14th July 2012 00:14 GMT Anonymous Coward

Legality of the video

Is publishing that video legal? According to the UK Copyright act of 1988 a copyright owner has rights against a person "publishes information intended to enable or assist persons to circumvent that form of copy-protection,"

http://www.legislation.gov.uk/ukpga/1988/48/part/VII/enacted?timeline=true

Or has this changed?

1 0
1. Saturday 14th July 2012 00:30 GMT the spectacularly refined chap
  
  Re: Legality of the video
  
  Copy protection doesn't apply here. The software is legally downloaded from the app store. A method of breaking copy protection to allow an illegal copy to be made is not being suggested.
  
  2 0
  1. Saturday 14th July 2012 00:56 GMT Anonymous Coward
    
    Re: Legality of the video
    
    I don't think that's true.
    
    For example in the case of cable/sat DVRs (e.g. from Sky) they are full of legally obtained content, but it's not legal to publish information on how to circumvent the encryption and play that content without a valid subscription.
    
    0 0
2. Saturday 14th July 2012 08:11 GMT Jess
  
  Re: Legality of the video
  
  Do you mean publishing the link to the video?
  
  Since it is Russian, and unlike us, they take their sovereignty seriously, our law won't apply there.
  
  You might be confusing the situation with the situation here, where if you commit an act that is a crime in the US but not, here you get extradited.
  
  10 0
  1. Saturday 14th July 2012 11:02 GMT Anonymous Coward
    
    Re: Legality of the video
    
    Actually since the video was hosted in the US, it's Russian laws that don't apply.
    
    As for this article, the video was embedded, not linked, in a UK publication, so surely UK law regarding publishing applies.
    
    Anyway it's all rather moot now, the video was removed under US law.
    
    0 0
  2. Sunday 15th July 2012 16:58 GMT Anonymous Coward
    
    Re: sovereignty
    
    > Since it is Russian, and unlike us, they take their sovereignty seriously, our law won't apply there.
    
    Its just our laws they don't take seriously.
    
    Polonium tea anyone?
    
    0 0
Saturday 14th July 2012 07:53 GMT Gary Riches

They're not fully hacked. If you validade your IAP receipts (as you should) then this hack won't work.

1 0
Saturday 14th July 2012 07:59 GMT stanimir

Hacking? You call this hacking?

If it's client based authorization, i.e. asking apple if something has been bought - it's only normal to be able to "hack", no much security can save the case.

If the application relies on the server (3rd party) to provide content then the hacking won't be viable. I really see no news here.

According to Borodin, only developers using their own servers to verify in-app purchases are able to dodge the hack.

I found that quote a bit later - and it has always been known to be the case. It's not possible to reliable authenticate anything without a 3rd party doing the authentication That's why there are root certs.

As a last note: If Apple is willing to sign explicitly all transaction tickets responses with a private key, then it will work. SSL alone can be fooled by root cert installation but an explicit offline public key - not so much.

1 0
1. Saturday 14th July 2012 21:00 GMT Danny 14
  
  Re: Hacking? You call this hacking?
  
  SSL proxy man-in-the middle will still defeat SSL as long as the chain is correct. IIS has been doing this for years in corporate proxies.
  
  0 0
This post has been deleted by its author
Saturday 14th July 2012 09:05 GMT Andus McCoatover

Blocked for me...(UTC+2 - Finland)

Tried to watch the video in the article, I get this most frightening mouthful....

""In-appstore.comGet in-app" video ei ole enää käytettävissä käyttäjän Apple, inc tekemän tekijänoikeus vaatimuksen vuoksi."

Which means (had to use Google Translate, can't be bothered to fathom it out, but you'll get the drift...)

"In-appstore.comGet in-app" the video is no longer available to the user of Apple, inc copyright claim by reason."

0 0
1. Saturday 14th July 2012 11:46 GMT stanimir
  
  Re: Blocked for me...(UTC+2 - Finland)
  
  Finland is UTC+3 now, daylight savings applied (just telling)
  
  0 0
Saturday 14th July 2012 10:44 GMT Anonymous Coward

His intention is to profit from this, any legitimate security researcher would have passed on the information.

iOS is locked down quite a lot, this just results in it being even more strictly controlled. This sort of stupid exploit is counter-productive.

2 0
1. Saturday 14th July 2012 11:07 GMT Anonymous Coward
  
  Completely agree, at least before we could add our root certificate and unencrypt SSL traffic to and from Apple for debugging or just to check there was nothing extra going on.
  
  Sounds like the fix will break this ability.
  
  2 0
Saturday 14th July 2012 17:25 GMT Anonymous Coward

Apple claims copyright on method?

The video describing the method has been removed by Apple. Are other sites with the video?

0 1
Saturday 14th July 2012 17:36 GMT h3

Freenium is bulls*ht anything that destroys that business model is for the greater good.

(Compared to a Sega or Square Enix classic the quality is dire - The humble Android bundles have content that is fairly mediocre but you get allot for even the average price - Freenium is totally and utterly dire. (Zen Pinball I suppose is ok one free table and you pay for more but not micro transactions or adware).

0 2
1. Monday 16th July 2012 10:49 GMT Anonymous Coward
  
  What's wrong with giving the game away and paying if you like it - I'd rather than that PAY for the game then realise it's a bag of crap. I'm sure people can get carried away and keep buying upgrades / gems etc. but they are not being 'forced' to.
  
  0 0
2. Monday 16th July 2012 18:00 GMT Anonymous Coward
  
  Tell that to games like ...
  
  Tribes Ascend or Blacklight: Revolution
  
  It maybe however be that Freemium is a bad choice for Mobile applications, but I don't purchase apps for my mobile.
  
  0 0
This post has been deleted by its author
Sunday 15th July 2012 14:17 GMT Saoir

"Developers could be seriously out of pocket"

How exactly will this happen ? So thousands of people who WERE going to buy apps will now use this crack to buy their apps before Apple close the loophole ?

What a nonsensical proposition.

2 0
Monday 16th July 2012 08:02 GMT Confuciousmobil

WCPGW?

I'll trust his cert, change my IP and give him my username and password.

I mean, what could possibly go wrong?

0 0
Monday 16th July 2012 10:47 GMT Anonymous Coward

Sounds like lazy developers who do not bother to ensure they are calling back to validate the transaction with Apple's servers.

If you want to hand over your DNS resolution etc. to some Russian hackers please accept everything you deserve - probably much more than the £0.59 you saved on buying the game legitimately.

0 1
1. Monday 16th July 2012 13:58 GMT Paul Bruneau
  
  Not lazy, just with proper priorities
  
  Why should I spend time, effort and server resources to set up a verification server when I can use my time and skill to make my app better? Or to make new apps?
  
  As has been pointed out by many, these folks weren't going to buy content anyway.
  
  So don't call me lazy.
  
  0 0