Blocking the original 'attack' route, Borodin sidestepped the authentication issue by migrating the service to a new server. Apple was able to pressure the host of the original server -- which was located in Russia -- into dropping Borodin's service, but according to the Russian hacker, the new server is hosted in an offshore country in an attempt to evade Apple's legal requests.
Borodin tells us that the new service has been updated and cuts out Apple's servers, "improving" the protocol to include its own authorisation and transaction processes. The new method "can and will not reach the App Store anymore, so the proxy (or caching) feature has been disabled."
The hacker has also updated the service to require that users be signed out of their iTunes account in order to mitigate claims that he is logging user information. "They [the users] need to sign out so they don't scream to the Internet that I am stealing their credentials."
It still appears that apps which properly validate in-app purchase receipts are unaffected by the hack; however, many apps do not do this. Borodin wants Apple to adapt its APIs or place new blocks on its service.
Of course, we recommend users do not use this service but rather continue to support developers with legitimate in-app purchases.
Read More [via TNW]