Pesky Russians have done it again, Apple’s In-App Purchases Get Hacked [Video]
A Russian hacker has found a way to obtain in-app purchases from iOS apps for free, without the need for a jailbreak, reports 9to5Mac.
There are three ‘simple’ steps to the procedure:
● installation of CA certificate
● installation of in-appstore.com certificate
● changing DNS record in wi-fi settings
*Note, that in-appstore works only when you connected to Wi-Fi, not Cellular network.
The hack also requires you send information about your transaction through the hacker’s server. That information includes: restriction level of app, id of app, id of version, guid of your idevice, quantity of in-app purchase, offer name of in-app purchase, language you are using, identifier of application, version of application, and your locale.
At this point it seems that apps which properly validate in-app purchase receipts are unaffected by the hack; however, it appears that many apps do not do this.
The hacker’s service is already down to high traffic. Note, due to high load Service is unstable. Reporting of failed purchases disabled.
We would urge users to continue using in-app purchases as normal and urge developers to make sure their apps validate purchase receipts. For those interested, you can see the hack demonstrated in the video below…