In response to serious bug, Saurik disables purchases in Cydia Store

Saurik (Jay Freeman) was forced to brand a tough conclusion involving the Cydia Store on Th afterward receiving troubling intelligence from concerned developers inwards the jailbreak community.

As it would seem, a severe bug discovered inwards the platform yesteryear Andy Wiik could get got enabled arbitrary Cydia Store bundle purchases via users’ PayPal accounts if they were logged into a Cydia draw organisation human relationship alongside a linked PayPal draw organisation human relationship in addition to browsing potentially malicious third-party repositories inwards the app.

To resolve this number every bit apace every bit possible, Saurik disabled purchases inwards the Cydia Store. Consequently, y'all tin shipping away no longer purchase packages from default repositories such every bit BigBoss, but y'all tin shipping away nonetheless access the add-ons y'all bought previously.

Notably, you tin shipping away nonetheless utilisation in addition to browse Cydia in addition to make purchases from third-party repositories similar Packix, Chariz, in addition to Dynastic Repo, which are considered “trusted” in addition to handgrip payments through their ain custom methods – PayPal included.

To travel precise, absolutely no personal information was leaked. This agency y'all shouldn’t request to modify your PayPal draw organisation human relationship password. Now that Cydia Store purchases get got been officially disabled, futurity discrepancies shouldn’t transpire.

Saurk issued an official answer to the thing on /r/jailbreak Th afternoon. The total quote tin shipping away travel flora below:

Unless y'all are logged inwards in addition to using Cydia acre also browsing a repository alongside untrusted content (which, FWIW, is hard to non exercise alongside Cydia <- I exercise appreciate this miserable fact virtually the ecosystem: it was never clear to users that they should travel careful installing random repositories), this is “not an issue”. As y'all would only e'er travel logged inwards to Cydia inwards guild to actively purchase something or download a paid purchase (Cydia, really much on piece of work every bit a safety characteristic of the software, does non cache login tokens when y'all unopen the app) in addition to effectively no 1 is buying anything anymore (for multiple, fifty-fifty numerous!, reasons), this number affects really few users despite existence worded inwards a really vague trend to, I would assume purposefully, travail maximal chaos in addition to carnage, leading to questions that instruct thence far every bit “how exercise I exercise this without existence jailbroken”. If y'all are non jailbroken, y'all definitely should get got no concern virtually this.

In particular, this vulnerability is not a information leak (as roughly people are wondering, in addition to given the vague electrical charge from Nullpixel is a perfectly valid thing to travel thinking: 1 would presume that I somehow lost access to PayPal control tokens allowing someone else to get got coin from your PayPal account: this categorically is non the number at mitt today), in addition to at that spot is definitely no request to travel out of your trend to disable tokens if y'all are non truly using Cydia anymore: it is “only” (in quotes every bit this is nonetheless a serious issue… if this were truly a production nonetheless existence used yesteryear anyone ;P) the mightiness to forcefulness a purchase yesteryear a user who is currently logged inwards to Cydia; at that spot is no concern virtually the information inwards your Cydia draw organisation human relationship that I know of at this time.

The reality is that I wanted to merely unopen downward the Cydia Store alone earlier the terminate of the year, in addition to was considering moving the timetable upward afterward receiving the study (to this weekend); this service loses me coin in addition to is non something I get got whatever passion to maintain: it was a critical element of a salubrious ecosystem, in addition to for a acre it helped fund a pocket-size staff of people to keep the ecosystem, but it came at swell toll to my sanity in addition to led lots of people to irrationally loathe me due to what amounted to a purposeful misunderstanding of how turn a profit vs. revenue works. (That said, shutting this downward doesn’t truly mitigate the bulk of my costs correct now, which involve many terabytes of bandwidth per calendar month continuing to travel spent on hosting the archived repositories I took on every bit my responsibility; I am thankfully currently making plenty coin from my novel chore to embrace these costs.)

However, given the force from Nullpixel in addition to Andy Wiik to exercise something virtually it this morning, I’ve had to reconsider my timelines; I get got thereby gone ahead in addition to unopen downward the mightiness to purchase things inwards Cydia, effective immediately. I volition set together a to a greater extent than formal postal service virtually the arc of Cydia, probable to travel published adjacent week.

Saurik confirms that he volition keep previous purchases inwards roughly other comment, quoted below:

I am intending to keep the mightiness to download existing packages: the accounting in addition to backend execution burden of this is much lower than continuing to let purchases in addition to removing the payment code agency I don’t get got to worry that I messed upward anything else inwards the payment backend, security-wise.

In illustration all of this sounds confusing, nosotros desire to reiterate that you tin shipping away nonetheless utilisation Cydia in addition to third-party repositories, but nosotros desire to get got this fourth dimension to remind everyone virtually the importance of using only reputable third-party repositories.

Adding in addition to using shady third-party repositories warrants a higher run a peril of having your payment information compromised. If y'all can’t enjoin if a third-party repository is reputable or not, thence y'all tin shipping away use this comprehensive listing of third-party repositories every bit your guide. Consider those inwards our listing to travel ‘trusted’ in addition to ‘reputable.’

Albeit unrelated, nosotros should add together that the Sileo bundle director is nonetheless inwards development in addition to aims to supervene upon Cydia every bit the jailbreak community’s primary bundle installer in addition to repository manager. There’s no ETA for its liberate yet, but y'all should travel able to access the same repositories in addition to packages that y'all could inwards Cydia.

Are y'all happy that Saurik responded to the occupation promptly? Share your thoughts inwards the comments department below.

Share this post