Dom Esposito, July 20, 2012
The Russian hacker is at it again. As noted by The Next Web, the hacker has developed a similar hack to steal in-app purchases from the Mac App Store now. The hack uses the same exploit found in the original in-app hack for iOS.
It’s saddening that this continues to be an issue, one that has now unfortunately moved to Macs as well. Just earlier Apple assured developers this hack would be fixed in iOS 6, and offered a temporary fix in the meantime. Now Apple has to worry about the Mac App Store due to the new ‘In-Appstore for OS X’ method.
The Next Web vaguely explains the method:
[quote]After installing two local certificates, a user points their computer’s DNS settings at Borodin’s server and it pretends to be the Mac App Store, issuing verification of the purchase. It’s not incredibly simple, but it’s not all that hard either. This time there is a companion app called ‘Grim Receiper that must be run on the local machine to facilitate the process as well.[/quote]
Will Apple let Mountain Lion release with the same vulnerabilities? This is costing developers millions of dollars. The Next Web notes that based on statistics from the hacker responsible, the in-app hack has been used for 8,460,017 free purchase transactions. That’s quite a lot of money there if you just guesstimate that each purchase on the low-end was $0.99.
We don’t recommend testing the waters with this hack. This is wrong and there’s no telling what kind of trouble you can get in. If Apple can somehow intercept information on who’s using this in-app hack, expect some severe consequences in the future.
Source: The Next WebFollow @macgasm