Alexey Borodin, the programmer responsible for the iOS App Store hack earlier this month has managed to repeat his success on Apple’s Mac App Store. The hack allows users to make in-app purchases from the service without paying for them.
We won’t be publishing detailed steps here, sufficed to say that it requires little more than installing a security certificate, tweaking some DNS settings and running a special program to keep your App Store receipts, as described on the following page. The DNS settings need to be reverted once a purchase is made, but otherwise, it’s scarily straightforward.
While not as significant as the iOS hack, it’s still a worrying security issue for Apple and the developers who make a living off of its App Store. Apple has stated that a fix for the first hack will be available come iOS 6. Until then, Apple has provided developers with information on how to properly validate receipts, but it’s up to them to implement these measures.