A Russian developer has published what looks like a way to circumvent Apple's in-app purchase system, allowing users to "buy" items without paying in iOS. The method, which involves installing a pair of security certificates and then changing the DNS record, does not require jailbreaking or specialized knowledge, and it allegedly runs on anything with iOS 3.0 to 6.0. It looks to have been picked up first by Russian site I-ekb. The video below shows it in action, and 9to5 Mac has confirmed that it worked for them, though comments on I-ekb indicate not all apps are susceptible. Users of the trick, meanwhile, are giving up something of their own: 9to5 Mac reports that some device information and the user locale are pulled when using it. That's not unusual for a developer, but in this case the project's general unsavoriness makes it unclear what else is being collected and how the information is being used.
For Apple, this could indicate a major problem, even if it's fixed quickly. In-app purchases are a huge driver of app revenue, and this trick doesn't rely on heavily modifying the system or doing anything that the average user would find too threatening. We've reached out to Apple to see if it's aware of the issue, but it's unclear how well the tool is working now anyways: its creator is currently soliciting donations to keep the servers that power it running.
Update: Apple has just gotten back to us with the following comment:
The security of the App Store is incredibly important to us and the developer community. We take reports of fraudulent activity very seriously and we are investigating.