ZonD Eighty, the Russian hacker who brought App Store fraud to unjailbroken iPads and iPhones, has extended his “service” to OS X users.
Mac owners can now join their iDevice brethren in ripping off developers.
The procedure starts off the same way on OS X as it does on devices running iOS:
- load and trust a fake CA (certificate authority) SSL certificate,
- load a fake SSL certificate signed by the fake trusted authority,
- change your DNS settings so you’ll be redirected to the fake App Store.
There’s one more step for OS X users:
- install and use an app called Grim Receiper.
Apple has already publicly admitted that this is a vulnerability, and provided some workarounds for iOS programmers to protect their in-app purchases.
According to Apple, the vulnerability will be addressed in iOS 6, which is expected in October 2012.
But with just days to go until Mountain Lion (OS X 10.8) drops, a proper fix for OS X is going to have to wait for a security update.
As Chester and I made clear in the latest Chet Chat podcast, there’s no inadvertent danger to users of Apple products here, only to developers.
If you get “infected” with this stuff, it’s because you went out of your way to avoid paying for something you knew wasn’t free – to “still developers’ money”, in ZonD Eighty’s own words.
Developers will probably want to read the Apple Release Notes mentioned above, and to make sure they’re protecting their in-app purchases as well as they can until Apple closes the door on this exploit entirely.
–
I don’t condone this practice, nor will I participate in it. Any App, whether it’s from the App Store or the Mac App Store, I will play for in-App purchases. By doing this hack, it denies the developer of any income they otherwise could have earned. I WILL NOT have this installed to my system, because of the inherent dangers associated with it.
What else you expect from a bunch of crooks?
I hope he gets a long jail sentence and all the crooks who made illegal purchases end up paying for it. Apple will have the final laugh either way. They done it in the past and they will do it again.
With iOS6 updated API Zond80 said its game over as he has no way to bypass it.
3 months for a fix for iOS? Where is the backlash? If this was WP7 or Windows the world would be up in arms.
Believers never get angry with their god…