Updated 2:30pm Pacific with a statement from Apple.
A new hack surfaced today allowing iOS users to download in-app purchases without actually paying for them, according to 9to5Mac. The hack comes from Russia and is a three-step process that works on all phones, not just jail-broken ones.
Apple says it is aware of the issue and is working toward rectifying it.
“The security of the app store is incredibly important to us and the developer community,” said Natalie Harrison, a spokesperson for Apple, in a statement to VentureBeat. “We take reports of fraudulent activity very seriously and we are investigating.”
The developer published his hack in a YouTube video, hiding his identity other than his voice and YouTube name ZonD80. In order to circumvent Apple and prevent the system from charging your credit card, you must install two certificates, as well as change your DNS settings to ZonD80’s IP. The settings are blocked from view in the instructional video because “the project is early at this stage.” The hack works on a number of phone types as well as iOS versions. ZonD80 showed off the hack on an iPhone 4S running iOS 6, though 9to5Mac notes that it works with iOS versions as far back as iOS 3.
It also mentions that ZonD80 is running a website and asking for donations in order to put more power behind its servers as the inevitable Apple shut-down comes its way.
Once installed, users will see a push notification from ZonD80 that reads, “If you like in-appstore.com, click like button!” as opposed to the traditional Apple ID request.
If this isn’t something that can be blocked soon, it could pose a major problem to those apps that are free-to-play. Free-to-play apps rely heavily (if not primarily) on in-app purchases along with advertising. The implications are obvious and have the potential to dissolve revenue streams. 9to5Mac notes that the hack is not always successful, which may stem from the fact that developers have the option to approve in-app purchase receipts before a transaction is completed.
Here’s the video. We caution you not to use the video’s instructions as you’re inviting someone — who’s doing something obviously sketchy — to access your data. Remember how engaging in risky business online leads to your data getting jacked? Yeah.
We have reached out to Apple and will update this post upon hearing back.