A fascinating duel has been underway this month between Russian hacker Alexey Borodin and the mighty Apple. Long lauded for the security of its products, Apple has been dealing with an exploit that permitted purchases to be made inside iOS apps without the customer being charged.
Borodin estimates that some 8.4 million such purchases were allowed by the exploit. By a conservative estimate, this entails a loss of a similar dollar amount, split 70/30 between the app vendors and Apple. It's been an expensive affair, then, as well as an embarrassing one.
Borodin's method, which involved using bogus certificates and a special server setting to fool apps into thinking they were communicating directly with the Apple Store, and receiving receipts from it, was published two weeks ago, and adopted with such glee by consumers that the Website where it was posted was overwhelmed by traffic. Apparently, people like something for nothing?
The weakness in Apple's system, according to Borodin, was that in-app receipts were generic, containing no specific user data, and were thus "easy to spoof."
Apple moved swiftly to patch the damage by installing APIs to validate each individual app purchase. It has also said that the iOS 6 update, due soon, will provide a permanent fix. Borodin has conceded defeat in this first skirmish, admitting that his exploit cannot bypass the new APIs.
Also, in typically provocative "grey hat" fashion, Borodin claims to have performed a public service: "It is a good news for everyone, we have updated security in iOS, developers have their air-money." Hey, thanks.
Apple will doubtless be overjoyed to learn that Borodin has now moved on to helping out with security on app purchases made via Mac OS X. He has developed a slightly elaborated version of the previous exploit. This time, in addition to bogus certificates and the server setting, would-be freeloaders require an app called "The Grim Receiper," easily found online.
As before, Borodin is exploiting the Apple Store's reliance on receipts rather than on data that securely identifies a purchaser's account or device. Apple's purchasing system clearly has a conceptual and structural flaw, not just a technical one.
Apple has yet to respond to Borodin's latest move -- which, again, is so public that he can claim to be Apple's security savior -- and indeed, Borodin has been crowing about its failure on his blog.
Of course, with friends like Borodin, who needs cybercriminals?
Hm..Interesting. The guy I Know offered me to crack my Iphone - so I can download all programs for free, but I thought that it wasn't a good idea. It's pretty simple, you can find all directions online
The funny thing for me was that the guy who offered me that, developed an application for Iphone by himself and he developed a paid application and he still downloaded other apps for free- didn't make sense for me at all.
Good point - Apple is also great at public relations as we saw with the Java exploit that hit them a few months back. They're like Willy Wonkas factory. No one knows what goes on in there.
Ron, the fact that most everyone hasn't heard about this is the rub and you would be expected to know about this. Where the heck did Kim dig this up from? Certainly not on any front page, not headlining a web site, not featured on a tv morning show. As long as Apple keeps this item buried the myth of its invulnerability will continue.
"If a tree fall in a forest ... ", you know the rest of it.
"Also, in typically provocative "grey hat" fashion, Borodin claims to have performed a public service: "It is a good news for everyone, we have updated security in iOS, developers have their air-money." Hey, thanks."
There is always enough reasons to encourage the likes of Borodin to test the security readiness of these OSs. We hate cyber criminals but from time to time cyber tricks that are aim to test the security readiness of our infrastructure are really welcome.
Apple is no different than any other operating system. Once you get people focusing on the OS or apps they'll find vulnerabilities. They just need a reason to start looking.
Great post. I hadn't heard about this. I don't know why but I find this Russian hacker suprisingly endearing. Maybe there's just something attractive about sticking it to the man. :)
Is Apple's internal development team so bad at finding these things that Apple is actually letting other people do it for them? Apple's normal behaviour in this kind of a situation would be to go after Borodin with all guns blazing. Locking him out of the app store and suiing him and everything around him. But in this case they are just fixing the problems. Sounds to me like they need him right now.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Extending existing US wiretap laws to give federal agencies easier backdoor access to Internet communications -- especially real-time P2P services like VoIP -- will give, not only aid and comfort, but also technical assistance, to the country's enemies. Not to mention cyberthieves.
When David E. Sanger of The New York Times broke the news that the United States was responsible for the Stuxnet malware exploit against Iran's nuclear program, Senator John McCain accused the administration of deliberately leaking the story to enhance President Obama's national security record.
The Gamma Group's business of supplying surveillance technology exclusively for use by government agencies may be legitimate. But not when it poses as the popular, free, open-source web browser Firefox.
Yesterday's hack of the official Associated Press Twitter feed demonstrated the enormous risk attached to the platform's lazy, single factor approach to security.
The Murdoch/News International scandal has all the elements of the digital age, from phone-hacking through embarrassing emails to agile digital reporting.
Smartphone users are aware that their systems are open to possible security breaches. But NPD Group found that more than 82 percent of them do not have any security software on their phones. That's just dumb.
President Obama may soon earn the badge as "Mayor" of the White House, thanks to his joining the mobile check-in service, FourSquare. Let's all sigh in unison, shall we?
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
