18 Jul 2012
After its first attempt to fight the in-app freebie exploit by blocking the IP address of the server used for the hack, Apple moved to a takedown appeal to the web-hosting provider.
Last week, Russian hacker Alexey V. Borodin used a flaw in Apple’s in-app purchasing mechanism to offer the iWorld the possibility to grab as many paid applications as they want without paying a dime.
Apple’s first move was a copyright violation claim to YouTube to demand the takedown of the video where Borodin explained how his exploit works. Apple then proceeded to block the IP address used in the hack. When this didn’t work, the company made an appeal to the Russian hosting provider to takedown the server.
But while Apple managed to “pressure the host of the original server into dropping Borodin’s service,” the Russian hacker made his next move, as stated for The Next Web, and acquired a “new server hosted in an offshore country in an attempt to evade Apple’s legal requests.”
On top of that, the new version of Borodin’s exploit allegedly doesn’t need the App Store to authorize transactions which makes it way more difficult for Apple to track down misdeeds.
Borodin explains in a YouTube video (since taken down) that, to get paid applications without paying, the user only needs to install certain security certificates and use a Wi-Fi network to connect to the Internet. The hacker set up rogue servers to act as “man-in-the-middle” to receive and process the requests addressed to the Apple secure servers to allow free in-app purchase.