Apple's Fix Failed: In-App Purchases Still Free with This Hack
A few days ago, Russian hacker Alexy Borodin found a way to get free in-app purchases on an iPhone or iPad. In-app purchases include things like items and power-ups for iOS games, as well as subscriptions and "premium" memberships for certain apps.
The method is novel, not for the result, but more so because of how surprisingly easy it is to use. There's no need to jailbreak your phone and the "hack" can be done in a matter of minutes.
The process circumvents Apple's authentication servers by redirecting the requests to Borodin's service, which then sends a receipt back to the device, making the app register that the purchase has been completed. Borodin's service does require a valid receipt from a particular app to get started, but in the past few days he has spent hundreds of dollars "donating" receipts in order to test his process.
Apple obviously isn't very happy with this and released a statement to The Loop:
"The security of the App Store is incredibly important to us and the developer community. We take reports of fraudulent activity very seriously and we are investigating."
Apple is currently scrambling to do some damage control, but so far their efforts have not resulted in much. They had the YouTube instructional video disabled, had PayPal suspend the account Borodin was taking donations from, and managed to issue a successful takedown request of his original server. Unfortunately for them, Borodin responded equally as fast, moving his servers offshore and altering the process to not use Apple's own servers.
As of today, Borodin's method is still working and you can see a little more of the back-and-forth between him and Apple on his website, In-Appstore.
Before you run into this, dancing for joy at all of the free stuff you'll be downloading, consider the implications. I'm of course not talking about the ethical ones, as obviously this is taking money out of developers and artists pockets; that's not even up for debate. But consider the fact that you're running your phone's connection through servers in who knows where, through a process designed to illegally steal content.
The process was recently changed to require the user to sign out of their iTunes account first, so, in Borodin's words, "they don't scream to the Internet that I am stealing their credentials." Still, even if Borodin insists he's not logging devices, that's an awful lot to take at his word. This is not even considering what Apple can or will do legal-wise if they manage to track the use of Borodin's process to your phone.
It's a fairly murky grey area right now, so tread carefully if you intend to try it out. In any case, here are the steps to get it to work. Use at your own risk!
You can do this by going to Settings -> Store -> Tapping on your Apple ID, then hitting "Sign Off".
Install the following profiles onto your device. Important! They must be installed in this order:
Go to the app where you intend to buy in-app items, and start a purchase. Then hit "Cancel" when it asks you to verify that you want to make the purchase.
Open the Wi-Fi settings on your iPhone or iPad, then tap the arrow on the right of your Wi-Fi network. Set the DNS field to this IP address:
If you're confused, there's a video tutorial available. However, it's already a little out-dated, and I have a good feeling it will be pulled soon.
It's amazing just how simple this process is. It makes you wonder just how secure Apple's system is and if similar vulnerabilities could be exploited to steal entire apps, personal information, or anything like that.
It's certainly going to be a back and forth battle between Borodin and Apple as word spreads about the vulnerability. Considering Apple's tremendous resources and talent, I don't doubt at all that the hole will soon be shut; my only question is what the consequences of this whole affair will be.