A Russian hacker has created a man-in-the-middle attack to fake payment for in-app purchases. This makes it look like the user is paying, but in fact nothing is deducted from their iTunes balance. The hack works without jailbreak.
The hack doesn’t work in all apps with in-app purchases, notes 9to5 Mac. Some apps use validation for in-app purchases, which prevents the fraud from taking place. The hack, discovered by a Russian developer, requires the user to install some profiles and change DNS settings in the connection settings.
A jailbreak is not required; the developer shows the hack on an iPhone 4S with iOS 6, for which no jailbreak is yet publicly available. The hack should also work on an iPad or iPod touch, running iOS versions 3.x to 6.0.
The Russian developer reverse engineered the process of in-app payments to make the hack possible. In the interface you can see that with an in-app purchase a popup appears from the developer, where you have to press Like to confirm the purchase.
Apple has yet to comment on this crackdown on its in-app purchase process. It seems that in-app purchases are preserved if the hack is removed from the device or purchases on another iOS device are downloaded again. Doing the hack yourself is not recommended, as it is a man-in-the-middle process and it is unclear whether the developer has malicious ulterior motives to intercept users’ Apple ID passwords.