A fascinating duel has been underway this month between Russian hacker Alexey Borodin and the mighty Apple. Long lauded for the security of its products, Apple has been dealing with an exploit that permitted purchases to be made inside iOS apps without the customer being charged.
Borodin estimates that some 8.4 million such purchases were allowed by the exploit. By a conservative estimate, this entails a loss of a similar dollar amount, split 70/30 between the app vendors and Apple. It's been an expensive affair, then, as well as an embarrassing one.
Borodin's method, which involved using bogus certificates and a special server setting to fool apps into thinking they were communicating directly with the Apple Store, and receiving receipts from it, was published two weeks ago, and adopted with such glee by consumers that the Website where it was posted was overwhelmed by traffic. Apparently, people like something for nothing?
The weakness in Apple's system, according to Borodin, was that in-app receipts were generic, containing no specific user data, and were thus "easy to spoof."
Apple moved swiftly to patch the damage by installing APIs to validate each individual app purchase. It has also said that the iOS 6 update, due soon, will provide a permanent fix. Borodin has conceded defeat in this first skirmish, admitting that his exploit cannot bypass the new APIs.
Also, in typically provocative "grey hat" fashion, Borodin claims to have performed a public service: "It is a good news for everyone, we have updated security in iOS, developers have their air-money." Hey, thanks.
Apple will doubtless be overjoyed to learn that Borodin has now moved on to helping out with security on app purchases made via Mac OS X. He has developed a slightly elaborated version of the previous exploit. This time, in addition to bogus certificates and the server setting, would-be freeloaders require an app called "The Grim Receiper," easily found online.
As before, Borodin is exploiting the Apple Store's reliance on receipts rather than on data that securely identifies a purchaser's account or device. Apple's purchasing system clearly has a conceptual and structural flaw, not just a technical one.
Apple has yet to respond to Borodin's latest move -- which, again, is so public that he can claim to be Apple's security savior -- and indeed, Borodin has been crowing about its failure on his blog.
Of course, with friends like Borodin, who needs cybercriminals?
— Kim Davis , Community Editor, Internet Evolution