Following last week’s report that a Russian hacker had discovered how to cheat developers out of payment for In-App Purchase items, Apple has now begun taking action to permanently disable the hack, including blocking the IP address of the server used by the Russian hacker.
Apple has begun taking steps to limit the impact of a flaw in its iOS in-app purchasing mechanism that allows iDevice owners to download free in-game content, but despite its initial efforts, the service remains operational.
Over the weekend, Apple began blocking the IP address of the server used by Russian hacker Alexey V. Borodin to authenticate purchases.
It followed this up with a takedown request on the original server, taking down third-party authentication with it, also issuing a copyright claim on the overview video Borodin used to document the circumvention method. PayPal also got involved, placing a block on the original donation account for violating its terms of service.
Besides stealing from developers, the hack also initially posed a security risk that could have allowed the hacker to steal iTunes account information from users, although the hacker insists that he has now made changes to eliminate that concern.
…cuts out Apple’s servers, ‘improving’ the protocol to include its own authorisation and transaction processes. The new method ‘can and will not reach the App Store anymore, so the proxy (or caching) feature has been disabled’”
Apple also issued a statement on Friday asserting that they would look into the problem. Unfortunately, despite Apple’s efforts so far, the service is still up, and the hacker responsible continues to work around the roadblocks put in place by Apple, including moving their service to another server in Russia.
Apparently some people are extremely determined to steal from Apple and developers, which raises an interesting question: Is it really worth all that effort just to save a few bucks on Smurfberries?