A flaw has been discovered by Gregorio Zanon, co-owner of DigiDNA, while he was testing a new version of the iMazing backup tool.
Gregorio has found that backups of popular games like Angry Birds 2 and Tetris Free could be transfered from one Apple ID to another, sounds like no big deal until they also discovered that the transfer also includes any in-app purchases.
Zanon has tested five apps which rely on IAPs (Angry Birds 2, Temple Run 2, Tetris Free, Candy Crush and Clash of Clans) and has posted the results on DigiDNA’s blog.
Now before everyone jumps on the bandwagon and starts pointing the finger at Apple’s, the problem actually lies at the developers feet with what Zanon called “lazy coding”.
Developers of the compromised apps simply haven’t followed Apple’s recommendation to exclude purchased items from backups.
Instead, the affected apps store purchased items in the app’s sandbox, which is accessible in a backup. The in-app purchase weakness previously could be exploited by editing and restoring an iOS backup containing the hacked data.
Full restores like that are time-consuming, though, which is probably why a lot of people never took advantage of the flaws. With new backup tools like iMazing, which remove the friction of a full backup, users can export their hacked in-app purchases easily and share them.
All a user must do to get the “free” in-app purchase on his or her device is open up iMazing and restore the app file to their device, which barely takes a minute. The vulnerability doesn’t allow hackers to manipulate the app’s code itself, but it does make it very easy to get the purchases on your device from someone else.
Article from cult of Mac