ZonD80 in-app purchases hack

Apple gave developers a temporary way to stem the flow of stolen in-app purchases today, after a Russian hacker published a technique for downloading goods without paying for them. The issue overall should be fixed in iOS 6, the company says.

According to 9to5Mac, Apple identified the issue in an e-mail to developers, saying it stems from a vulnerability in iOS 5.1 and earlier. Russian hacker Alexey V. Borodin exploited the vulnerability and later published a video to YouTube (which has since been removed) that explained how to use the hack. Here’s what the e-mail said:

A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker’s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid.

iOS 6 will address this vulnerability. If your app follows the best practices described below then it is not affected by this attack.

Prior to the release of iOS 6, however, Apple urges developers to have in-app purchase receipts sent to personal servers for validation before being sent back to Apple’s App Store servers. It has also provided a bit of code developers can use to protect themselves. The hack is fairly user-friendly and doesn’t involve jail-breaking the phone, which makes it even more of a thorn in a developers’ side. This sort of stealing cuts off a major source of revenue for iOS developers, particularly those who make free-to-play apps.

After finding out about the hack, Apple went after Borodin, cutting off his IP address’ access to the company’s servers. It also asked Borodin’s Internet service provider to shut down his website, which was collecting donations to keep the hack running, and requested that YouTube take down the video he uploaded explaining the hack.

PayPal has since shut down donations to Borodin.

However, Borodin was later able to reinstate the website using an off-shore ISP and figured out a way to continue stealing in-app purchases without accessing the App Store. Apple responded Wednesday by sending in-app purchase receipts to developers with a UDID assigned to each one. The UDID is a means to identify a phone and could be used to see who is using the hack.

hat tip 9to5Mac; Screen shot via Borodin’s removed YouTube video