Today we talked about the In-Appstore system which allows you to hack in-app purchases for applications now I'll tell you that in the few hours since the presentation of the system and until now, 30.000 pirate transactions have been registered. Basically, we are talking about an interval of over 6 hours in which iDevice owners registered over 30.000 fake transactions through Apple's in-app purchase system, and if we were to turn the transactions into money, then the amount would certainly be significant.
As of earlier today, some 30,000+ in-app purchases have been made through Borodin's service, which he says gathers no personal information from its users.
The system uses a vulnerability in in-app purchases to provide users with this functionality, and a developer claims that Apple can solve everything by improving the encryption system of the data that is transmitted between the iDevice and the company's servers. Until then, I think that a lot of transactions will be registered as long as the system is active and of course the developers will lose a lot of money.
The fact is, this would be easy for Apple to solve by providing a method for developers to validate IAP receipts using what's called a "shared secret," that is, a piece of information known to both Apple and the developer that is not exchanged as part of the validation process," says developer Marco Tabini. "Coupled with another technique called "salting," in which each communication is digitally signed in a time-sensitive way, this would make it much harder for someone to subvert the IAP process using a man-in-the-middle attack.
