w********1 发帖数: 3492 | 1 Mon, 16 Jul 2012 08:02:04 PDT
Late last week, we reported on the launch of a new method to allow App Store
users to bypass Apple's In App Purchase mechanism and receive additional
content free of charge. At the time, we noted that use of the method
involved theft of content from developers and exposed iOS device users to
dangers as their account and device information was being routed to servers
under the control of the Russian hacker running the service, but we felt
that reporting on the issue to bring it to light was the responsible thing
to do in order to alert developers to the issue and perhaps spur Apple into
action.
The Next Web now follows up with a report outlining some of the steps Apple
has been taking to combat the issue, including issuing a copyright claim to
have the original video showing the hack in action pulled from YouTube.
Over the weekend, Apple began blocking the IP address of the server used by
Russian hacker Alexey V. Borodin to authenticate purchases.
It followed this up with a takedown request on the original server, taking
down third-party authentication with it, also issuing a copyright claim on
the overview video Borodin used to document the circumvention method. PayPal
also got involved, placing a block on the original donation account for
violating its terms of service.
The hacker, Alexey Borodin, remains committed to the service and has been
working to skirt around the roadblocks being thrown up by Apple, in part by
moving the service to a server in another country, but it is clear that
Apple is working on the issue and addressing it through multiple routes in
order to improve the security of In App Purchase content. For now, however,
the service remains operational. | p***c 发帖数: 5202 | | w********2 发帖数: 16371 | 3 好像需要手工去输入ip 的。
对偷懒没有完全按照protocol 写authentication写付费模块的developer 来说是个严
重损害。
不过的确对apple 来说是个shame。
【在 p***c 的大作中提到】 : Very secure, very....
| f*******5 发帖数: 10321 | 4 不是吧。是两种模式,一种是通过apple验证收费了,一种是通过自己服务器验证。是
apple的验证方式出问题了,被人MITM了。
【在 w********2 的大作中提到】 : 好像需要手工去输入ip 的。 : 对偷懒没有完全按照protocol 写authentication写付费模块的developer 来说是个严 : 重损害。 : 不过的确对apple 来说是个shame。
| w********2 发帖数: 16371 | 5 你是说所有用apple 验证的都歇菜?
我觉得还是验证的时候没验证全吧?还是最完整的实现也会被欺骗?
个严
【在 f*******5 的大作中提到】 : 不是吧。是两种模式,一种是通过apple验证收费了,一种是通过自己服务器验证。是 : apple的验证方式出问题了,被人MITM了。
| f*******5 发帖数: 10321 | 6 是的,因为传输的数据很有限,并且没什么随机变化,容易被造假。那几步操作明显是
为了让iphone相信它是在跟真正的服务器对话,由于协议的缺陷,假服务器容易伪造确
认数据包。
【在 w********2 的大作中提到】 : 你是说所有用apple 验证的都歇菜? : 我觉得还是验证的时候没验证全吧?还是最完整的实现也会被欺骗? : : 个严
|
|