Think Information. Think Security.
According to a report by MacWorld, Russian coder Alexey V. Borodin is responsible for finding and taking advantage of the exploit, the installing forged digital certificates onto an iOS device and connecting to a unique DNS server which the app believes to be Apple's official App Store. The server then sends spoofed code receipts, normally issued by Apple, to the app which in turn validates the purchase which was subsequently posted to YouTube. As of this writing the video had accumulated over 2,000 views. 

While other hacks require a jailbroken iOS device able to run proprietary code, the newest iOS exploit simply takes advantage of what can be perceived as a hole in Apple's purchasing system. Apparently Borodin created the bypass as a "challenge" to developers of CSR Racing, a so-called "freemium" app that costs nothing to download but offers exclusive in-app purchases to unlock special content. 

Instapaper developer Marco Arment write that it probably won’t affect the auto-renewing subscriptions, since they rely on a lot of server-side processing to track, it could affect any other [in-app purchase] type (including non-renewable ‘subscriptions’ like what Instapaper uses) if the apps don’t check with Apple’s verification servers from their own web services.

The exploit is likely an easy fix for Apple, though a patch would likely involved a software update.

Cross-posted from: Apple Insider
9/30/2012 09:04:59 pm

Hi this one is great and is related stuff and is very much useful for me. Very well written I appreciate & must say good job. Really a good post. I think it will help me a lot in the


Leave a Reply.