Katie Marsal
The IP addresses used by a Russian hacker for the exploit were blocked over the weekend, according to The Next Web. Apple also reportedly issued a takedown request against the servers used, and issued a copyright claim to remove the YouTube video that showed users how to utilize the exploit.
In addition, PayPal issued a block on hacker Alexey V. Borodin's account, preventing him from collecting donations for violating its terms of service.
The hack, which entails installing forged digital certificates onto an iOS device and connecting to a unique DNS server, was first publicized last week. Apple quickly issued a statement to say it was investigating the matter, adding that the company takes "reports of fraudulent activity very seriously."
Prior to Apple's takedown efforts, Borodin claimed that his method had already been used to process more than 30,000 illegal in-app payment requests. However, the hack has not been completely quashed, as Borodin continues to find ways to keep the exploit alive.
Screenshot of Borodin's in-app purchasing workaround being used on CSR Racing. | ZonD80's YouTube channel
Apple's current methods to block the hack are likely a short-term fix. Developers believe a more permanent solution would be easy for Apple to create, though it would likely require a software update for iPhone and iPad users.
Apple first introduced in-app purchases with the release of iOS 3.0 in 2009. The feature was initially limited to paid applications, but was made available to free apps later that year. Apple takes a 30 percent cut of revenue generated from in-app purchases.
Wesley Hilliard
Andrew Orr
Malcolm Owen
David Schloss
Christine McKee
Amber Neely
Andrew O'Hara
44 Comments
If Alexey is short of cash he can just sell all of the iTunes accounts of those using his hack. :)
If Alexey is short of cash he can just sell all of the iTunes accounts of those using his hack.
His process now forces users to log out of their itunes account. He doesn't want access to their details. Additionally his paypal acc has been frozen so I guess he hasn't made a single bean.
Although he is enabling people to steal, personal gain (ie cash) doesn't seem to have been his primary motive (donations aside).
The guy will try to amass a little fortune before being on the run, lol, pesky russians.
If Alexey is short of cash he can just sell all of the iTunes accounts of those using his hack.
Yep! The idiots who used his service will pay now as their iTunes account gets owned. No free lunch.
So is it Apple's fault for having the vulnerability, or other people's fault for trying to take advantage of it?