9to5Mac reports that Apple has sent out email to developers of iOS developer program providing them with a temporary solution to prevent users from using the hack to download in-app purchase for free that was published by the Russian hacker a week ago.
Apple has taken several steps so far to block the hack.
- The original YouTube video of the hack has been taken down, Borodin’s PayPal account has been blocked and his site’s servers had to be moved after the original hosting provider denied service responding to Apple’s requests.
- Additionally Apple is also blocking Borodin’s server IP addresses to hinder the authentication process after the in-app purchase.
- Apple also added UDIDs for increased security to block the in-app purchase hack.
Apple has now issued the following note to developers on the iOS Developer site and also provided them suggestions to help verify that in-app purchases are legitimate:
A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker’s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid.
CNET reports that Apple will include a permanent fix in iOS 6.
“We recommend developers follow best practices at developer.apple.com to help ensure they are not vulnerable to fraudulent In-App purchases,” Apple spokesperson Tom Neumayr told CNET. “This will also be addressed with iOS 6.”
So if you’re a developer, it may be prudent to implement the suggestions provided by Apple to prevent fraudulent in-app purchases rather than waiting for a permanent solution as iOS 6 is expected to be released in September or October.