It’s been 10 days since Russian hacker Alexey Borodin unleashed hell for Apple with his iOS in-app purchasing exploit. But after successfully countering some of Apple’s attempts to shut him down, Borodin is calling it quits on his iOS hack. Instead, he’s going to focus more on his Mac OS X exploit, unveiled over the weekend.
“By examining Apple’s last statement about in-app purchases in iOS 6, I can say that currently game is over,” Borodin wrote in a blog post, referring to Apple’s fix for developers against his exploit. “Currently we have no way to bypass updated APIs. It’s good news for everyone, we have updated security in iOS, developers have their air-money.”
Borodin went on to say that he will continue running his iOS exploit service until iOS 6 comes out. Apple has offered developers early access to some APIs to secure their in-app purchases, but it won’t be able to widely fix Borodin’s exploit until iOS 6 is released.
He hinted that he has something in store for Apple’s Mac OS X app store. That exploit is similar to the iOS in-app hack, but it also requires a separate app called “Grim Receiper” to function. Apple hasn’t yet responded to Borodin’s OS X hack, but I would imagine that it would be tougher to fix, since the desktop OS is more open than iOS.
As I’ve written previously, Borodin is taking advantage of Apple’s shortsightedness when it comes to in-app purchases. Instead of tying purchases directly to customer accounts or devices, Apple’s in-app purchase receipts can be easily reused with Borodin’s method, as ZDNet’s Emil Protalinski points out. On iOS, Apple also sent customers’ Apple IDs and passwords in plain text, which could allow the hacker to easily collect login credentials. It’s unclear if that’s the case for the Mac exploit.