Apple’s Attempts To Shut Down In-App Purchase Circumvention Continue

A Russian hacker named Alexey Borodin has become a serious bee in Apple’s bonnet. Recently, he created a service that allows App Store users to circumvent the Apple authentication server, and get in-app purchases for free. Over this past weekend, Apple has made moves to shut him down, but have been seemingly unsuccessful in doing so.

Apple’s attempts to shut him down included issuing a take down request on Borodin’s surrogate authentication server, and a copyright claim on Borodin’s YouTube video that explained how to get this hack working. Unfortunately, none of this will be more than a temporary solution if they’re not going to fix the underlying security flaws that let it happen in the first place, and they haven’t done so yet. Alexey was able to set up a new fake-authentication server already, this time hosted in “an offshore country” where Apple will have a tougher time getting to it, instead of his home country of Russia.
PayPal also moved to shut down the account Alexey was receiving donations to, but he has simply moved to other payment options. The site for the project now shows the Bitcoin address at which donations can be received.

As of now, the hacker’s service is still up and running at In-Appstore.com, where instructions can be found on how to get your in-app purchases for free. Borodin pointed out to The Next Web that Apple has made no attempts to contact him directly, despite not hiding his identity at all.
Until Apple moves to deal with the underlying security flaws in their authentication system, one has to imagine that no amount of DMCA takedowns or copyright claims on YouTube are going to close this vulnerability. Perhaps Apple should consider handing Borodin an information security contract, and letting him show them how to fix the vulnerability he himself has found.