Russian Hacker Finds Loophole to Get In-App Purchases for Free

Everybody loves a good hack. As long as it is in good fun, no one’s personal information gets stolen and nobody gets hurt, causing a little technological ruckus every once in a while is a good thing.

Finding a way to get in-app purchases without having to actually purchase them seems like a harmless bit of fun, especially at the expense of Apple’s self-proclaimed excellent security system.

However, it comes at the cost of harming independent developers who rely on in-app purchases to keep their dreams alive. That’s why we’re not going to tell you how Russian developer ZonD80 hacked the system.

According to 9to5 Mac, the hacker in question figured out how to cheat the system without needing to jailbreak or hack an iPad or iPhone. By setting up a false domain name server (DNS) and installing two false security certificates, users direct in-app purchases to a ghost Apple App Store that will make it look to the victim app that a purchase has been made.

According to 9to5Mac, the hacker is also stealing in-app purchase content from developers.  Below is a list of data that is normally processed through the developer’s server:

-restriction level of app

-id of app

-id of version

-guid of your idevice

-quantity of in-app purchase

-offer name of in-app purchase

-language you are using

-identifier of application

-version of application

-your locale

Due to server overload, this technique has been failing. The hacker has posted the following information on his website:

“Currently service is down due to high load. Currently we have VPS with 512mb memory aboard, and there is no way to satisfy everyone with such hardware.

Apple is a big company, I am not. If you want to help me to buy really dedicated 4-quad core server with at least 4gbytes of ram – donate to paypal…”

It is interesting that this guy wants everyone to steal money from other developers by downloading in-app purchases for free, but then wants people to help him keep his application going because Apple is a big company and he is not. Guess what, thief? You’re not stealing from Apple. You’re stealing from people just like you.

For any developers out there, if you haven’t already set up a method for validating receipts for in-app purchases, you should probably get that worked out now, before your app becomes a victim of this hack.

About Lory: Writer of all things app related, traveler of the space-time continuum, baker of really great cookies. Follow me @appaholik