While Apple was hard at work coming up with a fix for Russian hacker Alexey Borodin’s iOS in-app purchasing exploit, the wily hacker has unveiled a similar exploit for in-app purchases on Mac OS X.
The latest hack, which affects OS X 10.7 and above (earlier versions don’t support in-app purchases), also relies on tricking Apple’s very basic receipt system for in-app purchases.
Borodin’s latest exploit method doesn’t differ too much from his original iOS hack: You simply need to install two system certificates, change your DNS settings to point to his server, and use a new app call “Grim Receiper.” The app is the only unique element of the Mac OS X hack, and it serves to keep track of receipts for you to reuse, according to Borodin.
Basically, Borodin is taking advantage of Apple’s shortsightedness when it comes to in-app purchases. Instead of tying purchases directly to customer accounts or devices, Apple’s in-app purchase receipts can be easily reused with Borodin’s method, as ZDNet’s Emil Protalinski points out. On iOS, Apple also sent customers’ Apple IDs and passwords in plain text, which could allow the hacker to easily collect login credentials. It’s unclear if that’s the case for the Mac exploit.
Apple last night announced that iOS 6 will fix Borodin’s iOS hack, and earlier this week it started attaching unique device IDs (UDIDs) to in-app purchase receipts. For now, developers need to authenticate in-app purchase receipts before they get sent to Apple’s servers.
Apple initially tried to cut off Borodin from its servers using his IP address and urged his ISP to shut down his website. As VentureBeat’s security guru Meghan Kelly tells it, Borodin was eventually able to relaunch his website via an off-shore ISP and figured out another way to steal in-app purchases without using the App Store.
We’re interested in seeing where this game of cat and mouse goes. We’ve dropped a line to Apple for further comment on the news.
Borodin is now accepting donations via Bitcoin, after PayPal stopped accepting donations to him.