About a week ago, Russian hacker Alexey Borodin found a way for iPhone and iPad owners to download in-app purchases for free. Well, now, that same hacker has managed to circumvent the same kind of procedure for Mac OS X apps. The “In-Appstore for OS X” uses a similar receipt-spoofing method that made waves among iOS apps last week.
Users need to install local certificates onto their Max, which allows them to route purchases from within OS X apps to a DNS server specifically created and hosted by Borodin for the purpose of faking purchase validation. This server, designed to be an almost identical replica of the Mac App Store, sends back a spoofed receipt verification.
Borodin says that nearly 8.5 million transactions have been initiated through his spoofing method, which is likely only referring to the iOS version. With the new Mac OS X hack, that number will surely climb, at least until it ends up getting patched. Apple is set to release its new OS X Mountain Lion soon, which sould include a fix to this egregious hack.
[via Apple Insider]