Apple is working to block the Russian servers that are allowing users to circumvent iOS in-app purchases and obtain content for free. The Cupertino company reportedly began blocking certain IP addresses over the weekend, and had one server taken down. But despite its efforts, the service continues to work.
Discovered by Russian hacker Alexey V. Borodin, the exploit allowed iOS users to obtain any kind of in-app purchase — including in-game currency and extra content — for free. Borodin’s method could be used by almost anyone, and there was nothing developers could do to prevent it.
Borodin set up the website In-AppStore.com to facilitate the scam, and he revealed to The Next Web that he has already processed over 30,000 payment requests.
However, Apple is now working to block Borodin’s exploit. Before it began blocking his servers, the company issued a takedown request on the original server, and this was taken down by the host located in Russia. Since then, however, Borodin has setup a new one in another country in an effort to avoid Apple’s block.
Borodin tells us that the new service has been updated and cuts out Apple’s servers, “improving” the protocol to include its own authorisation and transaction processes. The new method “can and will not reach the App Store anymore, so the proxy (or caching) feature has been disabled.”
Borodin has also altered his process to force users to sign out of their iTunes accounts before using the service, so that he cannot be accused of stealing their data.
Apple has had Borodin’s original demonstration video blocked on YouTube, and PayPal has blocked all donations to his account. But the hacker has no intention of giving up, and as The Next Web notes, what was originally a simple security exploit has now turned into a game of cat and mouse between Apple and Borodin. What’s interesting, however, is that Borodin claims Apple has not contacted him directly.
It goes without saying that Borodin’s exploit deprives iOS developers of the revenues they would usually collect from these in-app purchases, and is equal to stealing paid apps. With that said, we’d advise anyone to steer clear of this service.
Source: The Next Web