When news hit this morning that a Russian hacker figured out a shockingly easy way to pirate most IAP that doesn't even require jailbreaking, we chatted a bit in the ol' TouchArcade command center and decided that it was in poor taste to post about. Unfortunately (or fortunately, depending on which way you look at this) additional details have come to light, and MacWorld actually got in touch with the guy behind the whole thing. The article goes into the how's and why's of the hack, and motivation is mind-boggling- Essentially boiling down to CSR Racing [Free] of all things.
The hack works by fiddling with some things on your device to trick apps into thinking that they're communicating with Apple's servers that handle IAP transactions. Typically, you hit the buy button on some IAP item, you enter your password, it ships all this off to Apple, Apple charges your iTunes account, and sends a response back to the app that you've bought that IAP. With the hack enabled, apps go through the same process, except instead of sending your login credentials to Apple, you're sending them to a server in Russia which issues the same "Hey, this user bought this IAP" response that Apple does without the whole charging your iTunes account part.
If it's not obvious, and aside from the whole piracy aspect, using this hack is an exceedingly bad idea because you are transmitting your iTunes account information to an unknown third party. In fact, the hacker behind the whole thing had zero issue flat-out telling MacWorld, and I quote, “I can see the Apple ID and password." While your actual billing information is safe, you're completely handing over the keys to your iTunes account. If you're OK with that, you've got to be pretty hard up for some free smurfberries.
Apple has yet to issue a response regarding this whole ordeal, but it wouldn't surprise me to see some action from them very quickly.
UPDATE: Apple just responded via the New York Times:
The security of the App Store is incredibly important to us and the developer community,” said Natalie Harrison, an Apple spokeswoman, in a statement. “We take reports of fraudulent activity very seriously, and we are investigating.