Russian hacker vs Apple: the story continues
The passions around hacking the In-App Purchase In-App Purchase system do not subside. Over the weekend, Apple blocked the IP addresses of the server that hacker Alexey Borodin, known by the nickname ZonD80, used to hack. The company turned to the hosting provider of the server with a request to stop its work.
In addition, Apple requires the removal of YouTube videos demonstrating the hacking process, explaining its claim to copyright infringement.
Recall that the hacking method itself is based on the vulnerability of the billing system. The scheme of actions is quite simple: you need to download 2 additional certificates to the device, change the DNS address in the network settings, go to the online store under a non-existent account and buy the application. At the same time, the Apple Store believed that the money had been debited from the subscriber’s account, and installed applications on the device for free.
According to Apple, Borodin constantly changes the location of DNS servers and regularly restores video instructions on YouTube, which is why the company fails to block the hacking method. Although it is worth noting that Apple has not tried to communicate directly with Borodin.
At the moment, users have already managed to make about 30,000 purchases from applications using the specified hacking method. According to The Next Web, Borodin has now switched from a Russian server to an offshore server. And most importantly, the hacker managed to improve his exploit by ceasing to rely on the App Store authorization process.
It is worth noting that hacking a hacker can potentially have an impact on the further development of the company and the activities of iOS developers. First of all, Apple will have to change the protective mechanisms of the App Store.
Recall that this is not the first gap in the history of the company. In early July, experts from Kaspersky Lab discovered an application in the App Store that copied a phone book to a remote server without the user’s permission and sent spam to all contacts. Earlier at the end of May, experts from the Russian company ElcomSoft discovered a way to hack Apple iCloud cloud storage. Provided that the unique user ID of the Apple ID service is known, the data in iCloud was protected only by a password from the user account.