Published Date: 2012-07-23
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident happened in July 2012. [Article 13190, Article 13323, Article 13180] |
| System | 1. Apple's in-app purchase checking system on iOS devices [13190, 13323] 2. Validation of in-app purchases made on the device rather than through the app developer's servers and Apple's servers [13190, 13323] 3. Use of deprecated in-app purchase checking methods by affected apps [13190, 13323] 4. Lack of checks to confirm that transactions were made with Apple's servers rather than any site returning the correct code and a certificate [13190] 5. Failure to let developers check the validity of the SSL certificate returned from the transaction, allowing the hack to work [13190] 6. Vulnerability in the billing system that allowed the hack to exploit the in-app purchase process [13323] |
| Responsible Organization | 1. The software failure incident was caused by a Russian hacker named Alexey Borodin who developed a method to make fake in-app purchases, affecting numerous apps on the Apple App Store [13190, 13323]. 2. Apple's in-app purchase system, specifically the method of validation that was deprecated and allowed the hack to work, also played a role in the software failure incident [13323]. |
| Impacted Organization | 1. App developers [13190, 13323] 2. Users who made fake in-app purchases [13190, 13323] 3. Apple's App Store security [13190, 13323] |
| Software Causes | 1. The software failure incident was caused by a method developed by a Russian hacker, Alexey Borodin, that allowed users to make fake in-app purchases in some apps downloaded from the iTunes App Store [13190, 13323, 13180]. 2. The affected apps used a method of in-app purchase checking that Apple had deprecated, where validation of an in-app purchase was made on the device, not by checking with the app developer's servers and then Apple's own servers [13323, 13180]. 3. Borodin's hack exploited a vulnerability in the in-app purchase system that did not verify receipts against Apple's servers, allowing users to make unauthorized purchases [13190, 13323, 13180]. 4. The hack worked by spoofing the receipt from Apple's servers, allowing users to bypass the legitimate in-app purchase process [13190, 13323, 13180]. 5. Developers who did not validate in-app purchases against Apple's servers were vulnerable to the hack, as the purchases were validated solely on iOS, using fake Apple server addresses provided by the hack [13323, 13180]. |
| Non-software Causes | 1. Lack of proper validation of in-app purchases by Apple, allowing for fake transactions to occur [13190, 13323]. 2. Use of deprecated in-app purchase checking methods by affected apps, making them vulnerable to the hack [13323]. 3. Potential risk to users' Apple ID and password due to the nature of the hack [13323]. 4. Installation of self-certified security certificates by users, which could lead to security risks [13323]. 5. The complexity and security implications of the in-app purchase validation process [13323]. |
| Impacts | 1. The software failure incident allowed a Russian hacker to make more than 8.4 million fake in-app purchases in at least 115 games, affecting popular titles like Temple Run, Plants vs Zombies HD, and Angry Birds [13190]. 2. The incident led to potential financial losses for developers who rely on in-app purchases as a monetization method, as users were able to obtain content for free without proper payment [13323]. 3. Users who took advantage of the system could have put their Apple ID and password at risk, potentially leading to fraud [13180]. 4. The incident highlighted a flaw in Apple's in-app purchase validation system, where purchases were validated solely on iOS without checking against Apple's servers, leaving apps vulnerable to such hacks [13323]. 5. Developers were urged to update their apps to implement the fix provided by Apple to prevent further exploitation of the vulnerability [13190]. |
| Preventions | 1. Implementing a more secure method of in-app purchase validation by using a server operated by the app developer, as recommended by Apple's Store Kit documentation [13323, 13180]. 2. Checking the validity of the SSL certificate returned from the transaction to ensure it was made with Apple's servers, rather than any site returning the correct code and a certificate [13190]. 3. Regularly updating apps to incorporate fixes and patches provided by Apple to address vulnerabilities in the in-app purchase system [13190]. 4. Enhancing security measures to prevent unauthorized access to private APIs on iOS, as demonstrated by the seriousness of the flaw in this incident [13190]. |
| Fixes | 1. Implementing a fix that gives developers access to two of Apple's private APIs on iOS to check the validity of both new and old purchases [13190]. 2. Ensuring that in-app purchases are validated against Apple's servers as recommended in Apple's Store Kit documentation [13323, 13180]. 3. Developers using their own servers for validating in-app purchases, which then connect to Apple's servers, to avoid being affected by the hack [13190]. 4. Updating apps to incorporate the fix provided by Apple to wipe off faked purchases on users' devices [13190]. 5. Checking the validity of the SSL certificate returned from the transaction to confirm that the transaction was made with Apple's servers [13190]. 6. Re-validating transactions that have already been carried out by checking them against Apple's SSL certificate for its own server using two private APIs [13190]. | References | 1. Alexey Borodin's blog [13190] 2. YouTube [13323] 3. Macworld [13323] 4. Apple spokesperson Natalie Harrison [13323] 5. Craig Hockenberry, Mac and iOS developer [13323] 6. Greg Boyle, director of mobile product marketing at Trend Micro [13323] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident related to fake in-app purchases affecting Apple's App Store has happened again within the same organization. The incident involved a Russian hacker, Alexey Borodin, who developed a method to make fake in-app purchases, impacting a significant number of apps downloaded from the iTunes App Store [Article 13190, Article 13323]. (b) The incident has also affected multiple organizations as at least 115 games were impacted, including popular titles like Tap Tap Revenge 4, Temple Run, Plants vs Zombies HD, Infinity Blade 1 and 2, Fruit Ninja, Fifa 2012, and Angry Birds [Article 13190]. Additionally, the method developed by the hacker could undermine the monetization system of a significant number of apps, indicating a broader impact beyond just Apple's ecosystem [Article 13323]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident related to the design phase: - The incident was caused by a flaw in Apple's in-app purchase system that allowed a Russian hacker, Alexey Borodin, to make fake in-app purchases and pass them on to users [13190, 13323]. - Borodin figured out how to hack the system for in-app purchases by spoofing the receipt from Apple's servers, which exposed a vulnerability in the design of the in-app purchase validation process [13190]. - Apple had to issue a fix that gave developers access to private APIs on iOS to address the flaw, demonstrating the seriousness of the design flaw in the system [13190]. (b) The software failure incident related to the operation phase: - Users who took advantage of Borodin's system for fake in-app purchases were at risk of exposing their Apple ID and password, which could be used for fraudulent activities [13323]. - The incident highlighted the importance of developers validating in-app purchases against Apple's servers to ensure the requests are valid, indicating an operational flaw in how some apps were handling in-app purchases [13323]. - Developers who relied solely on iOS for in-app purchase validation were more susceptible to the hack, showcasing an operational weakness in their approach to in-app purchase security [13323]. |
| Boundary (Internal/External) | within_system, outside_system | From the provided articles, the software failure incident related to the fake in-app purchases hack by the Russian hacker Alexey Borodin can be categorized as a failure originating from both within the system and outside the system. (a) within_system: The failure within the system is evident from the fact that the hack exploited a method of in-app purchase checking that Apple had deprecated, where validation of an in-app purchase was made on the device itself, not by checking with the app developer's servers and then Apple's servers [Article 13323]. This internal vulnerability allowed the fake in-app purchases to bypass the proper validation process within the system. (b) outside_system: The failure originating from outside the system is highlighted by the fact that the hacker, Alexey Borodin, developed a method that allowed users to make fake in-app purchases by creating a closed world to "validate" the in-app purchase against a faked Apple Store using self-certified security certificates and a domain name server based in Russia [Article 13180]. This external manipulation of the system from outside sources contributed to the success of the hack. Therefore, the software failure incident involving the fake in-app purchases hack demonstrates a combination of factors both within and outside the system that led to the security breach. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The software failure incident in the articles was caused by a flaw in Apple's in-app purchase system that allowed a Russian hacker, Alexey Borodin, to make fake in-app purchases without human participation [13190, 13323]. - Borodin's hack exploited a vulnerability in the in-app purchase validation process on iOS devices, allowing users to bypass the legitimate purchase process and access paid content for free [13190, 13323]. - The flaw in Apple's system allowed Borodin's workaround to function by creating a proxy server that mimicked Apple's servers, enabling users to make unauthorized in-app purchases without direct human intervention [13190, 13323]. (b) The software failure incident occurring due to human actions: - The software failure incident also involved human actions, particularly on the part of the hacker, Alexey Borodin, who actively developed and shared the method to exploit the in-app purchase system [13190, 13323]. - Borodin's actions in creating and publicizing the hack led to the widespread abuse of the system by users, impacting developers who lost revenue from the fake in-app purchases [13190, 13323]. - Developers and Apple were prompted to take action in response to Borodin's actions, such as implementing fixes and investigating the security breach caused by the human-initiated hack [13190, 13323]. |
| Dimension (Hardware/Software) | software | (a) The software failure incident occurring due to hardware: - The incident reported in the articles is not related to hardware failure. It is primarily focused on a software vulnerability that allowed users to make fake in-app purchases [13190, 13323, 13180]. (b) The software failure incident occurring due to software: - The software failure incident reported in the articles is due to a software vulnerability in Apple's in-app purchase system that was exploited by a Russian hacker, Alexey Borodin. The flaw allowed users to make fake in-app purchases without actually paying for the content. This vulnerability originated in the software system designed for in-app purchases [13190, 13323, 13180]. |
| Objective (Malicious/Non-malicious) | malicious | (a) The software failure incident described in the articles is malicious in nature. The incident involved a Russian hacker, Alexey Borodin, who developed a method to make fake in-app purchases in iOS apps, affecting a significant number of apps downloaded from the iTunes App Store [13190, 13323, 13180]. Borodin's method allowed users to make in-app purchases for free by exploiting a vulnerability in the in-app purchase validation process, thereby bypassing the legitimate payment system and potentially defrauding developers of their revenue. The hacker's actions were intentional and aimed at undermining the monetization system of apps, demonstrating malicious intent to harm the system and exploit users and developers. (b) The software failure incident is non-malicious in the sense that it was not caused by unintentional errors or faults in the software itself. Instead, the incident was a result of a deliberate hack by the Russian hacker, Alexey Borodin, who actively developed and shared a method to exploit a vulnerability in the in-app purchase system on iOS devices [13190, 13323, 13180]. The failure was not a random glitch or bug but a targeted attack on the system's security and revenue model, indicating a malicious intent rather than a non-malicious software flaw. |
| Intent (Poor/Accidental Decisions) | poor_decisions | (a) The intent of the software failure incident: - The software failure incident involving fake in-app purchases was not accidental but rather a deliberate hack by a Russian hacker named Alexey Borodin [13190, 13323]. - Borodin intentionally developed a method to allow users to make fake in-app purchases in apps downloaded from the iTunes App Store, undermining the monetization system of many apps [13190, 13323]. - Borodin justified his method by questioning why users should pay for content that is already included in the purchased app, indicating a deliberate attempt to bypass the payment system [13323]. - The hack was not a result of accidental decisions but a calculated effort to exploit a vulnerability in the in-app purchase system [13190, 13323]. |
| Capability (Incompetence/Accidental) | development_incompetence, accidental | (a) The software failure incident related to development incompetence is evident in the articles as it was caused by a flaw in Apple's in-app purchase system that allowed a Russian hacker, Alexey Borodin, to make fake in-app purchases. The flaw was due to Apple using deprecated methods for in-app purchase checking, where validation was done on the device rather than through the app developer's servers and Apple's servers. This flaw demonstrated a lack of professional competence in ensuring the security of in-app purchases [13190, 13323]. (b) The accidental aspect of the software failure incident is seen in how the hack developed by Alexey Borodin allowed users to make in-app purchases for free, undermining the monetization system of many apps unintentionally. The hack exploited a method that Apple had deprecated, leading to unintended consequences where users could defraud developers by making fake in-app purchases. This accidental outcome highlights the unintended consequences of using outdated and insecure methods for in-app purchase validation [13180, 13323]. |
| Duration | temporary | (a) The software failure incident described in the articles was temporary. The incident involved a method developed by a Russian hacker that allowed users to make fake in-app purchases in some apps downloaded from the iTunes App Store. Apple was investigating this method, and developers were uncertain about detecting or taking action against users who exploited the system. The hacker's method undermined the monetization system of many apps, and there were risks associated with using the system, such as exposing users' Apple ID and password. Apple was looking into the security implications and the potential impact on developers' revenues [Article 13323, Article 13180]. (b) The software failure incident was not permanent as it was caused by specific circumstances related to the method developed by the hacker. The incident was not a fundamental flaw in the software itself but rather a vulnerability that allowed users to exploit the system for fake in-app purchases. The incident was not a permanent failure of the software but rather a temporary issue that required investigation and potential fixes to prevent further exploitation [Article 13323, Article 13180]. |
| Behaviour | value, other | (a) crash: The software failure incident described in the articles does not involve a crash where the system loses state and does not perform any of its intended functions. (b) omission: The failure in this incident is not due to the system omitting to perform its intended functions at an instance(s). (c) timing: The failure is not related to the system performing its intended functions correctly but too late or too early. (d) value: The software failure incident is related to the system performing its intended functions incorrectly. The incident involves a method developed by a Russian hacker that allowed users to make fake in-app purchases in some apps downloaded from the iTunes App Store, undermining the apps' monetization system [Article 13323]. (e) byzantine: The failure does not involve the system behaving erroneously with inconsistent responses and interactions. (f) other: The behavior of the software failure incident is related to a security vulnerability exploited by the hacker to make fake in-app purchases, bypassing the proper validation process and potentially defrauding users and developers [Article 13323]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, non-human, theoretical_consequence, other | (a) death: People lost their lives due to the software failure - There is no mention of any deaths caused by the software failure incident in the provided articles [13190, 13323, 13180]. (b) harm: People were physically harmed due to the software failure - There is no mention of any physical harm caused to individuals due to the software failure incident in the provided articles [13190, 13323, 13180]. (c) basic: People's access to food or shelter was impacted because of the software failure - There is no mention of people's access to food or shelter being impacted by the software failure incident in the provided articles [13190, 13323, 13180]. (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident impacted developers who were potentially losing payments as a result of the hack, affecting their revenues [13323]. (e) delay: People had to postpone an activity due to the software failure - There is no mention of people having to postpone activities due to the software failure incident in the provided articles [13190, 13323, 13180]. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident affected the in-app purchase system and the security of the App Store, impacting developers and potentially leading to fraudulent activity [13323]. (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident had real observed consequences, such as impacting developers' revenues and potentially leading to fraudulent activity [13323]. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The articles discuss potential consequences such as the risk of fraud, the need for developers to update their apps, and the importance of protecting developers in the mobile platform ecosystem [13323]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The software failure incident led to a significant number of apps being affected, potentially undermining the monetization system of those apps [13323]. |
| Domain | entertainment | (a) The software failure incident reported in the articles is related to the entertainment industry. The incident involved a Russian hacker developing a method to make fake in-app purchases in various popular games and apps downloaded from the iTunes App Store, affecting at least 115 games including titles like Tap Tap Revenge 4, Temple Run, Plants vs Zombies HD, Infinity Blade 1 and 2, Fruit Ninja, Fifa 2012, and Angry Birds [Article 13190]. The in-app purchases affected by the hack were a key method used by many free apps to charge users, rather than having an upfront price on the App Store. This method of monetization through in-app purchases has become increasingly important for developers to make money from their apps [Article 13190]. The incident highlighted the importance of security in the App Store and the potential risks for developers and users due to fraudulent activities like fake in-app purchases. The hack demonstrated a vulnerability in the in-app purchase system, which could undermine the monetization system of a significant number of apps in the entertainment industry [Article 13323]. Overall, the software failure incident was primarily related to the entertainment industry and the monetization of apps through in-app purchases. |
Article ID: 13190
Article ID: 13323
Article ID: 13180