With one document to iOS developers, Apple has both confirmed the method for stealing in-app iOS purchases and given developers some ways to combat it. The issue is basically that an attacker can essentially pretend to be Apple's own App Store server and therefore allow a user to make in-app purchases without actually paying — though of course the details are a bit more complicated.

A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker’s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid.

To block this issue, Apple strongly suggests that developers validate purchases from their own servers instead of directly from the device. There are a few fixes for those developers who don't use their own servers as well. The bottom line, however, is that this is an open hole that can continue to be exploited in iOS 5.1 and earlier if developers aren't careful to secure their apps, although Apple has taken some steps to help out as much as it can in the meantime. Apple says that "iOS 6 will address this vulnerability" for one and all, giving developers one more reason to look forward to it.