Forgot password
Enter the email address you used when you joined and we'll send you instructions to reset your password.
If you used Apple or Google to create your account, this process will create a password for your existing account.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Reset password instructions sent. If you have an account with us, you will receive an email within a few minutes.
Something went wrong. Try again or contact support if the problem persists.
Escapist logo header image

Russian Hacker Bypasses iOS Microtransactions

This article is over 12 years old and may contain outdated information
image

The iOS in-app purchase system has been hacked, and Apple isn’t sure what to do about it.

Last Friday Apple’s iOS store was faced with its worst nightmare: a hacker who’d discovered a way to bypass its in-app purchasing system. The hacker in question, Russian Alexey Borodin, was allowing Apple’s customers to download premium app store content for free. Although Apple took steps, forcing Borodin to change his IP and abandon PayPal as a means of getting payment for his service, the hacker is still out there and Apple currently has no way to cut him off.

Borodin’s hack allows users to bypass the in-app purchase system used by so-called “free” apps, so that they can download app content while avoiding the iOS payment system.”Why must pay for content [sic],” Borodin argued in a video release since pulled from YouTube, “I think, you must not.” In a separate message to Macworld, Borodin claimed to be a hobbyist who has a grudge against developers who promote free games that then nickel-and-dime the customer. Though Borodin was using PayPal as a means of collecting donations, he told Macworld he’s just as happy for people to use it free of charge.

The hack means that payments which would normally be authorized by the Apple store now get their content via Russian servers. This system doesn’t work on all in-app purchases; those authorized by the developer, not by Apple, are secure against the Borodin hack. However many developers validate via Apple because to do it themselves they would need to run their own server, and that can get both complicated and expensive.

Apple currently has no means of defending itself against Borodin, so the 30% cut that developers have to give them to use the service isn’t buying developers the security they need. Even Borodin’s customers have no way of defending against the hack, since in order to make use of Borodin’s service they have to give his servers access to their Apple ID and password. If Borodin is the hobbyist he claims to be perhaps there is no risk; if not, Apple isn’t the only one who may find themselves out of pocket this time out.

Apple has yet to say whether or not developers affected by this hack will be compensated for their losses.

Sources: Guardian , Macworld

Recommended Videos

The Escapist is supported by our audience. When you purchase through links on our site, we may earn a small affiliate commission.Ā Learn more about our Affiliate Policy