Apple says it's investigating an exploit that currently allows users to purchase digital goods inside of iOS apps without actually paying for them.
"The security of the App Store is incredibly important to us, and the developer community," Apple spokesperson Natalie Harrison told CNET in a prepared statement. "We take reports of fraudulent activity very seriously and we are investigating."
The company did not provide any estimate of when action would be taken. Russian technology blog i-ekb.ru, which first reported on the exploit earlier today, noted that the hosting company that currently serves the Web site and the details on how to enable it has already been contacted by Apple with a take-down notice.
The exploit was created by a Russian programmer named Alexey V. Borodin. In an interview with The Next Web earlier today, Borodin said that the more than 30,000 in-app purchases have been made using the service.
The technology behind the exploit re-routes in-app purchase requests. Instead of going to Apple, or a developer's secured server, they go to an external server which pretends to be Apple giving it the OK. The setup requires installing two special security certificates on the phone, as well as making purchases when on Wi-Fi with modified DNS settings, meaning it doesn't just work without some modifications.
Affected developers, as well as Apple, face a loss of profits if the exploit remains in use from would-be spenders. Developers get 70 percent of the revenue from purchases made inside their apps, while Apple gets the other 30 percent.