A Russian site today published a report that a simple and clever hack can allow Apple iOS in-app purchases to be made at no cost. The hack does not require the phone to be jailbroken.
To exploit the weakness in the in-app purchase, only two primary steps are required. First, an additional SSL certificate is installed on the device itself, which involves downloading the file and a couple of screen taps. The second and more difficult part requires control over the local network to create a custom DNS entry. (Stratigos Security researchers are looking at a way to simplify this.) When the iOS app then attempts to connect to Apple’s servers to make the purchase, the connection is redirected to a different server which provides a fraudulent authorization, which unlocks the in-game content. this poses a clear threat to Apple’s and game makers’ revenue.
But this could pose a risk to phone owners as well. If the app update mechanism or any other communication goes through this third-party server, it opens the possibility of introducing malicious code to the device. This is similar to other man-in-the-middle attacks facilitated by tools such as The Middler and Evilgrade. So device owners should consider these risks before carrying out these procedures.
At this time it is not yet possible to validate the Russian site’s story because the servers enabling it have been under heavy load and have apparently at least one has been taken down by the hosting provider from an Apple legal request. However, Stratigos Security researchers are working to independently confirm the issue in our lab.
UPDATE: Macworld reports that both username and password are sent in plaintext to the server. This means that the server, or any attacker who successfully executes a man-in-the-middle-attack can access the victim’s credentials. These credentials are not just valid at the iOS App Store, but typically across multiple Apple properties and usually many others, due to password reuse. Instead, Apple should be protecting credentials on the device and sending the hash to the servers.