The controversial security researcher Alexei Borodin is not giving up in the cat and mouse game he is currently playing with Apple. He has made available an in-app purchase exploit that works for Mac apps on OS X.
“With idea of @FurioATV & support of CNC I'm introducing you to in-appstore.com on OS X. Yes, Mac&Hackintosh have got free in-app purchases too,” the hacker wrote in a blog post.
Similar to the iOS version of the exploit, Borodin has published a get started
page that teaches OS X users how to make in-app purchases for free.
The process is pretty much the same. The user must install a CA certificate and one from the hacker’s website, and change the DNS records. The novelty in this case is the use of an app called Grim Receiper.
In the meantime, Apple has published an advisory
that describes a list of best practices developers must follow in order to ensure that their apps are not affected
by the attack.
The Cupertino company advises developers whose apps perform validation by connecting to their own server to design the server to perform the validation with the App Store server. They must also utilize “appropriate cryptographic techniques” to verify that the app is actually connected to the server.
For applications that connect to the App Store directly, a number of checks must be performed.
The SSL certificate used to connect to the server must be an EV certificate, the information returned from validation must match the information in the SKPyament
object, the receipt must have a valid signature, and the transaction must have a unique ID.
Apple promises to address the problem with the release of iOS 6. Until then, developers are advised to follow best practices.