Apple Mac in-app purchases hacked; everything free like on iOS

Apple Mac in-app purchases hacked; everything free like on iOS

Summary: While Apple is working hard to fight the hacking of its In-App Purchase program for iOS, the same hacker has pulled off almost an almost identical scheme for the Mac. Just like on iOS, this means you can purchase in-app Mac content without actually paying.

TOPICS: Security, Apple, Apps, Piracy
Apple Mac in-app purchases hacked, just like iOS

Last week Russian developer Alexey Borodin hacked Apple's In-App Purchase program for all devices running iOS 3.0 or later, allowing iPhone, iPad, and iPod touch users to circumvent the payment process and essentially steal in-app content. Apple today announced a temporary fix and that it would patch the holes with the release of iOS 6. While Cupertino was distracted, Borodin came in and pulled off the same scheme on the Mac.

That's right. Borodin's new hack allows Mac users to circumvent the payment process and essentially steal in-app content, just like his previous one did for iOS. The new "In-Appstore for OS X" service uses a similar method to fake transactions made to Apple's servers, according to "Getting started to receive your in-app for free on OS X."

To use this "trick" yourself, you need to perform the following steps (for the record, I do not recommend doing this, especially given that you have to hand over your login credentials, and I do not condone it either, as it is stealing):

  • Install CA certificate and certificate
  • Change DNS record in Wi-Fi settings
  • Running Grim Receiper application (to save your original AppStore receipts)

Until Apple stepped in, iOS developers had no way of protecting their apps, and this looks to be the same situation for Mac app developers. Using store receipts doesn't work as Borodin's service simply needed a single donated receipt, which it could then use to authenticate anyone's purchase requests. His circumvention technique relies on installing certificates (for a fake in-app purchase server and a custom DNS server), changing DNS settings to allow the authentication of "purchases," and finally emulating the receipt verification server.

The only difference this time around (apart from the different store), is that Borodin has developed an app called "Grim Receiper." It must be run on the local machine, and as far as I can tell its main purpose is to collect receipts for reuse. "That's the tool to keep your original receipts in safe place (locally, of course) during you are using," says Borodin.

Affected iOS apps treated Borodin's server as an official communication because of how Apple authenticates a purchase. The same thing goes for Mac apps. The problem is that Apple does not tie a given purchase directly to a customer or device, meaning a single purchased receipt can be used again and again.

It's not yet clear if Cupertino is transmitting its customers' Apple IDs and passwords in clear text just like it was for iOS (Apple assumed it would only ever be communicating with its own server). If so, whoever operates could easily be gathering everyone's iTunes login credentials (as well as unique device-identifying data) in the same type of man-in-the-middle attack that was used for iOS.

When Apple first tried (and failed) to stop Borodin, the company managed to disable his PayPal account. Borodin started taking donations via BitCoin, and for this Mac app hack he's doing the same: "Help the project by bitcoin 15GCBL7gHbf2p8bapozSrZhNaXdrKUWRFF. Thanks."

The good news this time around, as The Next Web notes, is that in-app purchasing is much more common in iOS apps than it is in Mac apps. Still, hopefully Apple fixes this issue more quickly on the Mac than on iOS. Given that the upcoming OS X 10.8 Mountain Lion is set to be released later this month, Apple could potentially offer a fix for this issue very quickly. Just like on iOS though, developers will have to be given some guidance so they can change the code on their end.

See also:

Topics: Security, Apple, Apps, Piracy

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Amateur hour at One Infinite Loop

    You just can't make this stuff up.
    • When it comes to production of 2nd rate software

      you have to stand in awe, AWE before the all time champion in production of crappy and insecure software: Microsoft. There's absolutely no contest! No contest.
      • The more so in-app purchases have to be validated on developer's side

        There are only like three lines of code that Apple's guidelines prescribe for this, and yet many developers fail to do this and now face the consequences.
      • What does MS have to do with Apple's shoddy programming?

        Stay on topic please.
      • That lame excuse again?

        So it's OK that your car alarm failed (and you lost everything in it) because somebody else lost everything in their house due to a house alarm failure.

        I didn't even see Microsoft mentioned in the article.

        Why not just admit that you're trying to misdirect, get the eyes off of a purley Apple problem.
        William Farrel
      • No contest, Apple wins by a mile.

        Again and again.

        Unfortunatly, not the kind of contest one wants to win, nevermind even be in; but Apple scores first place it looks like.
  • Apple "Lizzie Borden'd" again.

    Apple's best move, no matter the nature of this particular hack, would be to get out of the software business entirely. Security through obscurity was their saving grace before they had some market share, but their ineptness at software is all too sorely apparent now. They would be much further ahead to concentrate on the only thing they do somewhat well - hardware - and to license all code from Microsoft.
    They've done it before, for example their dev environment on the Apple II machines called AppleSoft Basic was written by and licensed from Microsoft.
    • Not at all!

      Apple IS a software company. And their software has just as good a track record as Microsoft, and is considered by most to be even better.

      This is a PITA for developers, and worrisome for them I'm sure.

      But it's still not a risk for users, and only an IDIOT would choose to use this exploit, anyway!
  • Hahaha!

    They are supposed to be so secure yet they cannot even keep their own house safe!
    • It is about *in-app* purchases, nothing to do with "their own house"

      "Their own house" is App Store. No one could buy anything from there for free, ever. In-app purchases have to be validated by developers, so its theirs responsibility that they failed to comply with Apple's guidelines for that. It is just few lines of code that they were ignorant and incompetent enough to not include.
      • I'm not even going to correct you

        I want to see how long you will willingly expose your lack of knowledge in this area. But I will give you a hint. Reread the blog posting. There is even a link there for your reading pleasure. I'm being nice to you, I just can't stand to see anyone's image suffer as much as yours has.
      • @DERSSS

        Actually, it is a real problem for developers using the standard methods endorsed by Apple.

        What it actually involves is someone modifying their system with bastard certificates and rerouting their in-app purchase requests to a bogus server that this hacker is running...which includes the HACKER COLLECTING THEIR STORE CREDENTIALS!

        Only a fool would try this circumvention, for some piddly in-app purchase!
        • lelandhendrix

          You're right but, only a fool would completely change platforms because somebody told them the other platform was immune to Viruses and Malware!

          Now I hope you realize what type of people you're dealing with and it is a shame that people have to have their systems compromised multiple times before they start to take responsibility for their actions.
    • @Peter Perry

      Can you tell me why all of the anti-Apple zealots have changed their screen names?
      • Huh?

        Can you tell me why you won't use your real name? Or why any of the Apple Zealots don't use their real names?

        For me, I was just playing around one day and decided to change details for security reasons...

        When I signed up for ZDNet years ago I just left everything default... Who knows, maybe I will change it again later.
  • Wait, Wait, Wait!!!

    Mac apps have in-app purchases now?... LOL :)
    Nicholas Matkovic
    • This isn't new...

      this isn't new... do you know what in in-app purchase is? Say your using an App to view a magazine, and you want to purchase a subscription to the magazine directly inside the app without having to exit out to a web browser. That would be an in-app purchase.
      • @doh123

        I haven't seen any magazines in the Mac App store!

        And it is pretty rare for Mac App Store programs to have in-app purchases--extremely rare, in fact, compared to the number of iOS app store programs which use them.
  • Apple Mac in-app purchases hacked; everything free like on iOS

    Lets see what Apple does first, fix it or deny it.
    Loverock Davidson-
  • How Stupid...?

    How stupid would you have to be to give a mad Russian your details and connect your computer to his server...???

    None of your information will be safe now, and weeks / months down the line we will be hearing reports of how credit cards and bank accounts have been cleared out and how it was all Apples fault...!

    NO if you are stupid enough to fall for what is basically an attempt to steal someone else's stuff by using this method then you deserve everything you get...!
    Kevin Hancox