Apple fights back at in-app freebie exploit

The company reportedly starts blocking the IP address of the server used to facilitate the hack and issues a takedown request to the hosting provider.

Don Reisinger
Don Reisinger
Former CNET contributor Don Reisinger is a technology columnist who has covered everything from HDTVs to computers to Flowbee Haircut Systems. Besides his work with CNET, Don's work has been featured in a variety of other publications including PC World and a host of Ziff-Davis publications.
2 min read

Apple is not too pleased with Russian hacker Alexey V. Borodin, and a hack he developed that allows iDevice owners to install in-app goods without paying for them.

According to The Next Web, Apple over the weekend blocked the IP addresses of the server Borodin used to facilitate the hack. In addition, the company issued a takedown request to his server's hosting provider. Apple even requested that the video Borodin posted showing his technique in action be removed from YouTube due to a copyright violation.

Borodin last week surfaced with an exploit that re-routes in-app purchase requests away from Apple or a developer's secured server to one that pretends to come from the iPhone maker. That fake server gives the request the go-ahead to deliver the in-app purchase without having customers pay for a virtual good.

For iDevice owners, the barriers to taking advantage of the flaw aren't so high. According to Borodin, users must only install two special security certificates and make purchases over Wi-Fi with modified DNS settings. Borodin told The Next Web last week that at that time, more than 30,000 in-app "purchases" had been made through his service.

Apple quickly responded, telling CNET that it was "investigating" the matter and reassured its developers that it takes "reports of fraudulent activity very seriously."

Despite those best efforts, the exploit is still in the wild, according to The Next Web. Borodin told The Next Web that he has moved to a new server that's hosted in an "offshore country," and not in Russia, where his previous server was. In addition, he has improved the exploit so it no longer relies upon the App Store for authorization processes, making it more difficult for Apple to stop him.

The potential impact on Apple and its developers is quite real. In-app purchasing is becoming an increasingly important revenue-generator for developers, and a source of extra cash for Apple: the iPhone maker takes 30 percent of all revenue generated from in-app purchases.

CNET has contacted Apple for comment on Borodin's claims. We will update this story when we have more information.