While Apple keeps claiming that its software is absolutely safe, it is fighting a losing battle with a Russian guy who managed to hack its system. Alexey Borodin hit the headlines after he published a video on YouTube instructing the users how they could avoid paying for in-app purchases without gaining root access to the system.
The way of doing that is quite simple – all you need is to install security certificates and change the DNS settings. The Russian revealed that over 30,000 unauthorized in-app purchases have taken place since he told everyone about the hack. Apple’s business model seems to offer users free software but insists they pay out for new features.
Thus far, the software giant has done nothing to fix the loop hole. Apple’s efforts are rather concentrated on trying to block the instructional video. Of course, it was fruitless because Borodin’s followers just replaced the video. The hack is working by placing the Russian’s server in between the device and Apple, so the company blocked the IP address of the server used by the hacker to implement the attack, and convinced the Russian host to shut down his service. In addition, Apple worked with PayPal in order to prevent Borodin from receiving donations.
In response, Alexey moved the server to a new location and switched to the anonymous Bitcoin service to receive donations. In addition, he tightened up the exploit in order to avoid interacting with the App Store, which made it even harder for the company to shut down.
Alexey’s problem now is that the exploit has become so popular he cannot afford the bandwidth needed to keep the exploit running much longer.
The battle became more intense when it turned out that Apple was rubbish at releasing updates to the software fast enough. Even Microsoft is expected to release a patch for such sort of thing within days, while Apple is still twiddling its thumbs. Experts pointed out that Apple recently released iOS 6 beta 3 to developers, but didn’t include the patch to Borodin’s exploit into it.
Meanwhile, the hacker claims that he doesn’t collect any data and users don’t have to enter their Apple ID and password to use the exploit. The latter doesn’t work with all apps, and the developers are able to get around the exploit by releasing new versions of the applications which use their own web servers, different from Apple, in order to validate receipts. The reason why the developers don't like this solution is because it increases costs.
The way of doing that is quite simple – all you need is to install security certificates and change the DNS settings. The Russian revealed that over 30,000 unauthorized in-app purchases have taken place since he told everyone about the hack. Apple’s business model seems to offer users free software but insists they pay out for new features.
Thus far, the software giant has done nothing to fix the loop hole. Apple’s efforts are rather concentrated on trying to block the instructional video. Of course, it was fruitless because Borodin’s followers just replaced the video. The hack is working by placing the Russian’s server in between the device and Apple, so the company blocked the IP address of the server used by the hacker to implement the attack, and convinced the Russian host to shut down his service. In addition, Apple worked with PayPal in order to prevent Borodin from receiving donations.
In response, Alexey moved the server to a new location and switched to the anonymous Bitcoin service to receive donations. In addition, he tightened up the exploit in order to avoid interacting with the App Store, which made it even harder for the company to shut down.
Alexey’s problem now is that the exploit has become so popular he cannot afford the bandwidth needed to keep the exploit running much longer.
The battle became more intense when it turned out that Apple was rubbish at releasing updates to the software fast enough. Even Microsoft is expected to release a patch for such sort of thing within days, while Apple is still twiddling its thumbs. Experts pointed out that Apple recently released iOS 6 beta 3 to developers, but didn’t include the patch to Borodin’s exploit into it.
Meanwhile, the hacker claims that he doesn’t collect any data and users don’t have to enter their Apple ID and password to use the exploit. The latter doesn’t work with all apps, and the developers are able to get around the exploit by releasing new versions of the applications which use their own web servers, different from Apple, in order to validate receipts. The reason why the developers don't like this solution is because it increases costs.
No comments:
Post a Comment