Update at 2:30PM PST - Apple investigating iOS in-app purchase hack

Russian developer ZonD80 has figured out how to circumvent Apple's iOS In-App Purchase program, allowing iPhone, iPad, and iPod touch users to grab digital game items, upgrade to full versions of apps, and purchase additional content for free. As first spotted by Russian blog i-ekb, the video above shows an "in-app proxy" (no jailbreak required!) that lets you make in-app purchases without actually making a purchase.

The hack reportedly works on all Apple devices running anything from iOS 3.0 to iOS 6.0 (the In-App Purchase program requires iOS 3.0 or later). That being said, certain in-app purchases do not work in specific regions around the world (possibly because the developers properly protected their apps ). To use this "trick" yourself, you need to perform the following steps (for the record, I do not recommend doing this, especially given that you have to hand over your login credentials, and I do not condone it either, as it is stealing):

Install two certificates: cacert.pem and itcert.pem.

Connect via Wi-Fi network and change the DNS to 62.76.189.117 (update: he's changed it to 91.224.160.136).

Press the Like button, enter your Apple ID and password.

Essentially, this circumvention technique relies on installing certificates for a fake in-app purchase server as well as a custom DNS server. The latter's IP address is then mapped to the former, which in turn allows all "purchases" to go through. What's really worrying, however, is that ZonD80 could easily be gathering everyone's iTunes login credentials (as well as unique device-identifying data) in a classic man-in-the-middle attack. In other words, this is not a good hack to try.

ZonD80 runs a website called In-AppStore.com where everything is hosted for the hack to work, and he is accepting donations to support the development of the project as well as keep the servers up and running, according to 9to5Mac. The webpage does not load for me, but it does for my colleagues. Given the nature of this news, the server may be under additional stress. Either way, if you can't access the site, you can't try this hack because it requires files from the server.

I have contacted Apple about this issue and will update you if I hear back. iOS developers should be wary of losing revenue from fake in-app purchases until Cupertino fixes this security flaw. Users of this hack should be wary that they are handing over their data to an unknown individual.

Update at 9:30AM PST - The site is now loading for me and ZonD80 has posted the following message:

Hi everyone. I moved info site go blogspot. Currently service is down due to high load. Currently we have VPS with 512mb memory aboard, and there is no way to satisfy everyone with such hardware. Apple is a big company, I am not. If you want to help me to buy really dedicated 4-quad core server with at least 4gbytes of ram - donate to paypal account zond80@me.com Setup of dedicated server usually took 2-3 days. Sorry, guys.

Something tells me Apple will get to him before he gets the new server up.

Update at 2:30PM PST - Apple investigating iOS in-app purchase hack

See also: