Recently a Russian hacker by the name of Alexei Borodin released a hack to the public that lets iOS users download In App Purchases, or IAPs for short, for free. Apple announced the iOS flaw will be fixed in iOS6, but gave developers a workaround in the meantime.
A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker’s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid. iOS 6 will address this vulnerability. If your app follows the best practices described below then it is not affected by this attack.
In addition, the Russian hacker has now given out a similar hack, but this time for mac. The hack works almost all the same. It is known if Apple will try to fix this vulnerability in time for their 10.8 Mountain Lion release, which is due in just a few days from now. The hacker also noticed that over 8 million free purchase transactions have been made via the vulnerability.