Apple tries to mend iOS in-app purchasing mechanism flaw

PanARMENIAN.Net - Apple has begun taking steps to limit the impact of a flaw in its iOS in-app purchasing mechanism that allows iDevice owners to download free in-game content, but despite its initial efforts, the service remains operational, The Next Web reports.

Over the weekend, Apple began blocking the IP address of the server used by Russian hacker Alexey V. Borodin to authenticate purchases.

It followed this up with a takedown request on the original server, taking down third-party authentication with it, also issuing a copyright claim on the overview video Borodin used to document the circumvention method. PayPal also got involved, placing a block on the original donation account for violating its terms of service.

Apple initiated its response after Borodin published a method that allowed iDevice users running iOS 3.0+ to ‘purchase’ any kind of in-app content for free. The content could be obtained without “hacking” the device and cannot be prevented by developers using Apple’s recommended receipt signing procedures.

The method for stealing this content was discovered by Borodin, who created an online service called In-Appstore.com to facilitate it. Speaking with him, he explained that the service had already processed more than 30,000 individual in-app payment requests.

Blocking the original ‘attack’ route, Borodin sidestepped the authentication issue by migrating the service to a new server. Apple was able to pressure the host of the original server - which was located in Russia - into dropping Borodin’s service, but according to the Russian hacker, the new server is hosted in an offshore country in an attempt to evade Apple’s legal requests.

Borodin also notes that Apple has not contacted him over the issue.