A number of security loopholes in the applications listed on the Mac App Store allow users to download paid applications for free and repackage bootleg programs with malicious code, according to “eWeek” report (http://macte.ch/HEftd).
Less than 24 hours after Apple unveiled the Mac App Store for the Mac OS X, reports emerged on various user forums, including “Pastebin” and “Daring Fireball” (http://www.daringfireball.net), that some paid apps don’t properly validate App Store receipts, making it easy to obtain those programs for free, the article adds. Users can copy the App Store receipt from any legitimate Mac App Store download — free or paid — and paste it to validate other paid applications, according to the posted instruction.
“This isn’t true for all paid Mac App Store apps,” wrote John Gruber of Daring Fireball, but only for those applications with which developers were lax about applying Apple’s recommendations on validating store receipts. The app checks to ensure there is a valid receipt, but it doesn’t check that the ID listed on the receipt belongs to the app, he says.
The lack of proper receipt validation makes it easier for users to pirate Mac App Store applications, and it seems inevitable that they will become readily available. “Someone who claims to provide you with paid applications for free may not simply give you a free program, they may give you an unwanted infection,” writes Sophos security researcher Chester Wisinewski on the “Naked Security” blog (http://macte.ch/4yJ6e).
Developers of applications like Angry Birds appear to have ignored Apple’s advice on validating App Store receipts before launching. Wisinewski says this allows people to reconfigure a paid application to run on other people’s Apple IDs without requiring them to purchase the app.