Hacker exploits iOS flaw for free in-app purchases


The fact that Borodin's hack exploits an apparent weakness with Apple's system is unlikely to sit well with app makers. "The whole point of the [in-app purchase] system and the App Store is that you shouldn't have to worry about the system," Tabini said. "Otherwise, what are you giving Apple its 30 percent for?"

More to the point, app makers are more likely to rely on Apple's receipt validation approach than building their own solution. "I'm willing to bet that 99 percent of all developers validate on iOS because it's a lot of extra work to setup a server that does the validation," developer Craig Hockenberry told .

Marco Arment, developer of Instapaper, believes that the hack will only work with standalone in-app purchases, not subscription-based ones like Newsstand apps employ. Via email, Arment told : "It probably won't affect the auto-renewing subscriptions, since they rely on a lot of server-side processing to track, but it wouldn't surprise me if it could affect any other [in-app purchase] type (including non-renewable 'subscriptions' like what Instapaper uses) if the apps don't check with Apple's verification servers from their own web services."

iOS users who try the hack may find that, in addition to robbing the developers behind apps that they enjoy, they've put at risk. "I can see the Apple ID and password," for accounts that try the hack, Borodin told . "But not the credit card information." Borodin said that he was "shocked" that passwords were passed in plain text and not encrypted.

According to Tabini, though, "Apple presumes it's talking to its own server with a valid security certificate." But that was clearly a mistake--"This is entirely Apple's fault," Tabini added.