News

Russian hacker claims to have completely exploited iTunes' IAP system

Luckily few will be foolish enough to test the claim

Russian hacker claims to have completely exploited iTunes' IAP system
Many hacking stories start with the word Russian and the latest exploit against iTunes is no exception.

In this case, Russian hacker Alexey V. Borodin (aka ZonD80) seems to have worked out a way of getting around the authentication process for in-app purchases in all content running on iOS devices.

Untrusted vendor

He says, more than 30,000 IAP transactions have been completed without any cash paid, and the process doesn't involved jailbreaking.

Instead, you install a couple of certificates and give Borodin's proxy server your iTunes username and password - hardly recommended.

He's being buying IAPs from various iOS games, updating the digital receipts received from iTunes onto the proxy server.

Because iTunes' IAP receipts use a fairly open encryption approach - due to privacy and support concerns - these can then be send out to any iOS devices once an IAP request is made, fooling the game or app into thinking an official authenticated payment has been made.

Brute force database

Of course, one limitation of this approach is that it requires a receipt from every game (and presumably for each IAP option too) in order to work completely.

That's why the focus of exploit has been on the games Borodin demonstrates himself 'hacking', notably Temple Run and CSR Racing - the latter's monetisation methods apparently being the cause of the hacker's frustration.

If so, it means he works fast as the game only came out two weeks ago.

A new stable door

As for ways of combating the hack, Apple will obviously be looking at changing its authentication process - perhaps involving a time-based process or shared secret key which isn't contained in the receipt.

Yet making the process more complex would mean all such apps need to be updated and could cause privacy issues as well as creating more failed transactions

Similarly, publishers and developers can use their own authentication servers although that's an added complication few but the largest outfits would be keen on undertaking.

So while engineers are considering their options, it seems the entire iOS ecosystem has been completely exploited, even if few people will be foolish enough to actually use the hack.

No doubt, the midnight oil will be burning in Cupertino over the weekend.

[source: The Next Web]

Contributing Editor

A Pocket Gamer co-founder, Jon is Contributing Editor at PG.biz which means he acts like a slightly confused uncle who's forgotten where he's left his glasses. As well as letters and cameras, he likes imaginary numbers and legumes.