It's the thing of nightmares for Apple.
A Russian hacker named Alexey Borodin has over the weekend revealed details of a method that allows iPhone and iPad owners to obtain in-app goods for free.
It works by using a specifically crafted server hosted by the Russian. A change to an i-device's DNS settings then redirects all IAPs to the bogus server that then tricks the device into believing that the payment has been processed as normal.
A user does not need to hack or jailbreak their device for the system to work.
I set this up due to hungry and lazy developers,” Borodin told MacWorld. I was very angry to see that CSR Racing developer taking money from me every single breath.”
Note that the method does not work for all IAP. There are two ways for developers to implement IAP into their titles. Borodin's exploit is able to fool one of them – though he does promise a future revision that will open up all content for free.
The security of the App Store is incredibly important to us and the developer community,” Apple spokeswomen Natalie Harrison said in a transparently generic statement. We take reports of fraudulent activity very seriously, and we are investigating.”
Experts suggest that the loophole can only be closed via the release of a complete iOS update. Apple will also have to alter the way in which developers validate IAP – a time-consuming process.