garyopa
07-13-2012, 09:26 PM
Russian hacker discovered it
http://www.maxconsole.com/maxconsole/contents/RKLS00000011820/icon_xl.jpg
In-App proxy allows you to obtain in-App purchases at 0 cost
First of all we want to clarify that we are totally opposite to this kind of practices and we are just reporting the security flaw as is. We don't encourage readers to to this because it is bad to stole from developers and you all could end up in jail for doing that ;). And after this introductory disclaimer, the info:
A Russian hacker has discovered a simple and easy method to avoid paying for in-App purchases on iOS Apss (Apart from not purchasing them of course) and getting almost all of them for free. The method requires the installation of a CA certificate on your device and a custom DNS.
According to 9to5mac:
Today we received some disturbing tips that a Russian developer has published a method of obtaining in-app purchases from iOS apps for free. First noticed by Russian blog i-ekb.ru, the “in-app proxy”method does not require a jailbreak, can be completed by novices in three steps using just an iOS device, and allows users to install in-app content for free. The hack also works on all devices running iOS 3.0 to 6.0 We have confirmed the method works (at least temporarily), and the published instructions are starting to get attention, so we decided to publish this story as a warning to the Apple developer community.
The hack appears to have come from Russian developer ZonD80 who posted the above video demonstration. ZonD80 also appears to run a website called In-AppStore.com where donations are being accepted to support the development of the project and help keep servers up and running. The developer explained the three steps of the hack, which include the installation of CA certificate, the installation of in-appstore.com certificate, and the changing of DNS record in wi-fi settings. After the quick process, users are presented with the message pictured above when installing in-app purchases, opposed to Apple’s usual purchase confirmation dialog. Perhaps just as troubling as the fact the hack is being used to steal in-app purchase content from who knows how many developers, is the developer’s terms of service.
http://www.youtube.com/watch?v=iSuo4xEucqE
NEWS SOURCE #1: Apple's In-App purchasing process circumvented by Russian hacker (via) 9to5 Mac (http://9to5mac.com/2012/07/13/apples-in-app-purchasing-process-circumvented-by-russian-hacker/)
NEWS SOURCE #2: In-AppStore (via) Official Site (http://www.in-appstore.com/)
Our thanks to 'Kaos2K' for this news item!
http://www.maxconsole.com/maxconsole/contents/RKLS00000011820/icon_xl.jpg
In-App proxy allows you to obtain in-App purchases at 0 cost
First of all we want to clarify that we are totally opposite to this kind of practices and we are just reporting the security flaw as is. We don't encourage readers to to this because it is bad to stole from developers and you all could end up in jail for doing that ;). And after this introductory disclaimer, the info:
A Russian hacker has discovered a simple and easy method to avoid paying for in-App purchases on iOS Apss (Apart from not purchasing them of course) and getting almost all of them for free. The method requires the installation of a CA certificate on your device and a custom DNS.
According to 9to5mac:
Today we received some disturbing tips that a Russian developer has published a method of obtaining in-app purchases from iOS apps for free. First noticed by Russian blog i-ekb.ru, the “in-app proxy”method does not require a jailbreak, can be completed by novices in three steps using just an iOS device, and allows users to install in-app content for free. The hack also works on all devices running iOS 3.0 to 6.0 We have confirmed the method works (at least temporarily), and the published instructions are starting to get attention, so we decided to publish this story as a warning to the Apple developer community.
The hack appears to have come from Russian developer ZonD80 who posted the above video demonstration. ZonD80 also appears to run a website called In-AppStore.com where donations are being accepted to support the development of the project and help keep servers up and running. The developer explained the three steps of the hack, which include the installation of CA certificate, the installation of in-appstore.com certificate, and the changing of DNS record in wi-fi settings. After the quick process, users are presented with the message pictured above when installing in-app purchases, opposed to Apple’s usual purchase confirmation dialog. Perhaps just as troubling as the fact the hack is being used to steal in-app purchase content from who knows how many developers, is the developer’s terms of service.
http://www.youtube.com/watch?v=iSuo4xEucqE
NEWS SOURCE #1: Apple's In-App purchasing process circumvented by Russian hacker (via) 9to5 Mac (http://9to5mac.com/2012/07/13/apples-in-app-purchasing-process-circumvented-by-russian-hacker/)
NEWS SOURCE #2: In-AppStore (via) Official Site (http://www.in-appstore.com/)
Our thanks to 'Kaos2K' for this news item!