A reportedly white hat hacker slash developer claiming to have cracked WP7’s Marketplace’s DRM sent a proof-of-concept application dubbed FreeMarketplace to WPCentral demonstrating the “push of a button” exploitation of some undisclosed vulnerability connected to anti-piracy mechanisms behind the Windows Phone 7 software distribution system, the Marketplace, that was convincing enough to WPCentral for them to make a teaser screenshot video demonstration of half of the exploit and run an article about it. From the clip:
Demonstrate an application that bypasses the security of the Windows Phone Marketplace. Specifically it downloads any program you want from the marketplace, rips the security off of it and then deploys it automatically to your phone or allows you to save XAP file to your hard drive.
WPCentral claims only they, the developer and Microsoft, whom they’ve contacted, know the details behind the exploit along with this FreeMarketplace program and that it is not [yet] in the wild. With any luck for those developers, Microsoft will manage to fix this situation before it becomes a more major situation.
Even when properly handled, one downside to the white hat approach when chased with blogging leverage is that some other hacker out there with less white a hat becomes determined to figure this out partly from scratch, knowing now that it’s possible, and succeeds. But in their white hatness they may have felt like they had little choice. In their article thread when one reader asks the author of the article essentially “wtf?” to which Daniel Rubino, the writer, offered this response:
Because MS has known about this for months already with little or no movement let alone acknowledgement of the problem. This isn’t knew. It’s an attempt to bring focus and urgency to the issue.
If that’s true it wouldn’t be the first time Microsoft has fielded such submissions with weak aggression. But depending on the nature of the exploit, and given that Microsoft has gone to some substantial lengths to appease and court WP7 developers, Microsoft could be looking at something that may require a lot of work that would affect many people if there’s some fundamental flaw in both the Marketplace and how applications interact with it, SDK stuff.
So the race is on between some unknown but potentially existing computer whiz bad guys and Microsoft’s phone people with fingers crossed that the white hat developer / hacker and WPCentral will keep all further details sealed until whatever’s vulnerable is no longer vulnerable.
Doug Simmons via BGR