Apple has acknowledged a vulnerability within iOS that allows users to access in-app content without paying for it.
The glitch will be fixed with iOS 6, Apple said on its developer site. Those who require receipt validation with their apps, however, are not affected.
"A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device," Apple said. "An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker's server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid."
The bug was discovered last week by a Russian developer and picked up by 9to5Mac. The hack doesn't require a great deal of skill and can be pulled off in three steps. It also works on devices running iOS 3.0 and above.
The developer, known as ZonD80, operates In-AppStore.com. His three-step process to avoid in-app payments includes installing CA and in-appstore.com certificates as well as changing the DNS record in Wi-Fi settings, 9to5Mac said.
Once that's installed, users will see a different pop-up message when trying to make in-app purchases. Rather than the usual request for password and confirmation from Apple, a window will pop up that says "Like in-appstore.com?" There's the option to choose a "LIKE" button on the right or another button (in Russian) on the left. Choosing "LIKE" reportedly accesses the in-app content for free. For more, see the video below.
In-app purchases have been available via Apple's App Store since October 2009. Last year, amidst concerns that children and other users were making unwanted in-app purchases on users' accounts, Apple added a password requirement for in-app purchases with iOS 4.3.