While the fruity cargo cult Apple advertises that its systems are totally secure, it is fighting a losing a battle with a Russian hacker who appears to be having a laugh.
Alexey Borodin published a video on YouTube showing users how they could avoid paying for in-app purchases without even having to gain root access to the system.
The method is actually simple. All you need to do is install two security certificates and change the DNS settings on their device.
Borodin claimed that more than 30,000 illegal in-app purchases have taken place since he told the world+dog about the hack.
The Russian seems to have a beef with the business model which offers you free software but insists you pay out for new features.
So far Apple has done nothing to fix the hack. Its efforts have concentrated on trying to censor the the instructional video.
As you might guess this was pretty silly as Borodin’s fans simply replaced it. Since the hack works by placing Borodin’s server in between the device and Apple, Jobs’ Mob blocked the IP address of the server used by Borodin to implement the hack, and convinced the host in Russia to shut down his service. It worked with PayPal to prevent him from receiving donations.
Borodin’s answer to that was to move the server to a new location and he now accepts donations using the anonymous Bitcoin service.
He has also tightened up the exploit to avoid interacting with the App Store, making it even harder for Apple to shut down.
His only problem is that the exploit has been so popular he can’t afford to pay for the bandwidth required to keep the exploit running much longer.
Another factor has entered the battle. Apple is rubbish at releasing updates to its software fast enough. While Microsoft could have been expected to release a patch for this sort of thing within days, Jobs’ Mob is still twiddling its thumbs. The Sydney Morning Herald points out that Apple recently released iOS 6 beta 3 to developers, but the patch didn’t block Borodin’s exploit.
So at the moment it is up to developers, who are seeing their profits going down the gurgler, to try and put people off the hack. At the moment that appears to be just warning about the perils of using a third-party DNS server.
The argument being that Borodin does not appear to be the most moral of people because he is ruining Apple’s day so therefore he must be nicking banking details and private data.
But Borodin claims in his “terms of service” document that he collects no data and users do not have to enter their Apple ID and password to use the exploit.
The exploit does not work with all apps, and developers can get around the exploit by releasing new versions of their apps that use their own web servers, not Apple, to validate receipts. The developers don’t like this idea because it increases costs.