Go Redirect To Jail
Annoyed over having to constantly pay for downloaded content in games and apps on his iPhone, a Russian hacker has created a trick to avoid paying for them. His workaround uses a cunningly-crafted server that he hosts. Then, he changes the device's DNS settings which redirects all attempts to make content purchases to this server.
That tells the device a payment has been made, so the download continues, without any end-user having to do anything apart from know the DNS address. With this exploit out in the wild, (Apple has closed down his original YouTube and other posts, but it is out there) expect criminal gangs to be offering cheap access to such addresses rapidly to rake in the cash before Apple can fix the problem.
Apple On the Case
One crumb of solace for Apple is that this trick only works on some applications, as there are two ways of enabling in-app purchases in iOS, and hacker's method only works for one of these. However, Apple has to patch iOS pretty quickly, likely requiring a full user update to stop the rot.
According to MacWorld, who ran the story, Apple has responded with a vanilla; "The security of the App Store is incredibly important to us and the developer community. We take reports of fraudulent activity very seriously, and we are investigating." statement.
A change in how in-app purchases are handled will be needed, which could see potentially tens of thousands of apps in need of an update, either to the more secure, or a new, method. A full iOS update might be rushed out in advance of iOS 6.0 if this proves to be a major problem.
In the meantime, app creators could rapidly start to lose revenue and Apple will have to muscle through its updates, which could end up annoying far more people than this issue affects. With new Apple hardware on the way, the company will want this issue solved quickly.