W odpowiedzi na poważny błąd Saurik wyłącza zakupy w sklepie Cydia
0

W odpowiedzi na poważny błąd Saurik wyłącza zakupy w sklepie Cydia

0

W odpowiedzi na poważny błąd Saurik wyłączył zakupy w sklepie Cydia.

W czwartek po otrzymaniu niepokojących wiadomości od programistów ze społeczności jailbreak, Saurik (Jay Freeman) wyłączył zakupy w sklepie Cydia.

Poważny błąd wykryty przez Andy’ego Wiika, mógł umożliwić zakupy pakietów w sklepie Cydia za pośrednictwem kont użytkowników PayPal. Konta były zalogowane w Cydii z połączonym kontem PayPal. Umożliwiały przeglądanie potencjalnie złośliwych repozytoriów firm trzecich. Nie można kupić już pakietów z domyślnych repozytoriów. Nadal można uzyskać dostęp do dodatków zakupionych wcześniej. Można używać i przeglądać Cydię oraz dokonywać zakupów z repozytoriów firm trzecich, takich jak Packix, Chariz i Dynastic Repo. Są uznawane za „zaufane” i obsługują płatności za pomocą własnych niestandardowych metod – w tym PayPal. Żadne dane osobowe nie wyciekły. Oznacza to, że nie trzeba zmieniać hasła do konta PayPal.

Saurik potwierdza, że zachowa poprzednie zakupy w innym komentarzu, cytowanym poniżej:

I am intending to maintain the ability to download existing packages: the accounting and backend execution burden of this is much lower than continuing to allow purchases and removing the payment code means I don’t have to worry that I messed up anything else in the payment backend, security-wise.

Opublikował on również swój komentarz w tej sprawie w czwartek po południu. Pełna jego wypowiedź poniżej:

Unless you are logged in and using Cydia while also browsing a repository with untrusted content (which, FWIW, is difficult to not do with Cydia <- I do appreciate this sad fact about the ecosystem: it was never clear to users that they should be careful installing random repositories), this is “not an issue”. As you would only ever be logged in to Cydia in order to actively buy something or download a paid purchase (Cydia, very much on purpose as a security feature of the software, does not cache login tokens when you close the app) and effectively no one is buying anything anymore (for multiple, even numerous!, reasons), this issue affects very few users despite being worded in a very vague way to, I would assume purposefully, cause maximal chaos and carnage, leading to questions that go so far as “how do I do this without being jailbroken”. If you are not jailbroken, you definitely should have no concern about this.

In particular, this vulnerability is not a data leak (as some people are wondering, and given the vague complaint from Nullpixel is a perfectly valid thing to be thinking: one would presume that I somehow lost access to PayPal authorization tokens allowing someone else to take money from your PayPal account: this categorically is not the issue at hand today), and there is definitely no need to go out of your way to disable tokens if you are not actually using Cydia anymore: it is “only” (in quotes as this is still a serious issue… if this were actually a product still being used by anyone ;P) the ability to force a purchase by a user who is currently logged in to Cydia; there is no concern about the information in your Cydia account that I know of at this time.

The reality is that I wanted to just shut down the Cydia Store entirely before the end of the year, and was considering moving the timetable up after receiving the report (to this weekend); this service loses me money and is not something I have any passion to maintain: it was a critical component of a healthy ecosystem, and for a while it helped fund a small staff of people to maintain the ecosystem, but it came at great cost to my sanity and led lots of people to irrationally hate me due to what amounted to a purposeful misunderstanding of how profit vs. revenue works. (That said, shutting this down doesn’t actually mitigate the majority of my costs right now, which involve many terabytes of bandwidth per month continuing to be spent on hosting the archived repositories I took on as my responsibility; I am thankfully currently making enough money from my new job to cover these costs.)

However, given the push from Nullpixel and Andy Wiik to do something about it this morning, I’ve had to reconsider my timelines; I have thereby gone ahead and shut down the ability to buy things in Cydia, effective immediately. I will put together a more formal post about the arc of Cydia, likely to be published next week.”

 

W odpowiedzi na poważny błąd Saurik wyłączył zakupy w sklepie Cydia.

Oceń post

SKOMENTUJ

Twój adres e-mail nie zostanie opublikowany. Wymagane pola są oznaczone *