Modernizing Authentication — What It Takes to Transform Secure Access
Russian hacker ZonD80 recently posted a video on YouTube that explains how to make in-app purchases on iOS devices for free.
"The hack, which doesn’t require users to jailbreak their iOS device (and which works on all devices running from iOS 3.0 to iOS 6.0), makes use [of] what is called an 'in-app proxy' to work," writes Forbes' Adrian Kingsley-Hughes. "This is the first hack of its kind to target the In-App Purchasing mechanism, and while it exists there’s a serious risk that iOS app developers will lose money because of it."
"It's surprisingly easy to set up, requiring no jailbreaking or hacking magic at all," writes Gizmodo's Jesus Diaz. "You just need to follow some steps in your stock iOS device and it will work: 1. Install two security certificates, which can be easily downloaded from the web site that provides this service. 2. Set a new Domain Name Server (DNS) in your iPhone or iPad internet preferences. 3. There's no step three."
"Essentially, this circumvention technique relies on installing certificates for a fake in-app purchase server as well as a custom DNS server," writes ZDNet's Emil Protalinski. "The latter's IP address is then mapped to the former, which in turn allows all 'purchases' to go through. What's really worrying, however, is that ZonD80 could easily be gathering everyone's iTunes login credentials (as well as unique device-identifying data) in a classic man-in-the-middle attack. In other words, this is not a good hack to try."