By John Gruber
Jiiiii — Free to download, unlock your anime-watching-superpowers today!
Lex Friedman:
A hack that lets iOS users trick the App Store into giving them in-app purchases for free has gone public, potentially costing app makers revenue and causing Apple a major headache. […]
Alexey V. Borodin of Russia built the in-app purchase hack, which requires several steps — including installing bogus certificates on your device, and using a specially-crafted DNS server. Those ingredients combine to fool apps into believing that they’re communicating with the App Store, when they’re actually going to a Web server that pretends to the App Store instead. Borodin told Macworld that his exploit works in part by faking — or “spoofing” — the code receipts that Apple issues for in-app purchases which developers use for validation, with the iOS device configured to mistakenly believe that those receipts are coming directly from Apple.
Dalrymple has a short “we’re on the case” statement from Apple PR. Friedman has a good interview with Borodin, worth reading through to the end. Be sure not to have anything in your mouth when you get to the closing paragraph.
★ Friday, 13 July 2012