As we reported last week, a Russian hacker found a loophole in the in-app purchasing system used by Apple for iOS-based purchases. This discovery gave free access to content that would otherwise come at a cost to users (and a profit to developers).
In response, Apple has attempted to block the IP address of the servers used by Russian hacker Alexey V. Borodin to authenticate his fraudulent purchases. Unfortunately, these attempts have been unsuccessful thus far, with the service remaining operational.
The normally quiet Apple must be paying close attention to this exploit, because a statement has been issued from representative Natalie Harrison: “The security of the App Store is incredibly important to us and the developer community. We take reports of fraudulent activity very seriously and we are investigating.”
Their concern over Borodin is well-warranted, with the hacker having published a method for purchasing in-app content for free online (a video that has since been issued a take-down request from the original server along with a copyright claim on the content itself). Following the publishing of his method, Borodin’s online service (which processed these fake payments) had completed over 30,000 transaction requests.
With the original servers down, Borodin has updated his processes and now claims to be much more difficult to track as “the new method can and will not reach the App Store anymore, so the proxy (or caching) feature has been disabled.'”
Now, Borodin claims he isn’t tracking the devices that use these methods –but I would be more than a little cautious under the circumstances. Don’t trick a trickster, fool a fooler, kid a kidder…
Borodin also claims that Apple has not contacted him over this issue, but I think it is safe to assume that he won’t be on their holiday card list this year (and I wouldn’t want to be him once Apple does make contact).