Apple to close in-app purchase hack in iOS 6, offers interim fix

Apple has outlined a way for iOS developers to protect themselves against an exploitthat lets users gain free access to paid add-on content sold within their apps.

In a new support document posted today, the company provided detailed guidelines, urging developers to use its receipt validation system that cross-checks purchases made inside applications with the company's own records. It also said that it will be taking extra precautions to keep this from happening in the next version of iOS, due out later this year.

"We recommend developers follow best practices at developer.apple.com to help ensure they are not vulnerable to fraudulent In-App purchases," Apple spokesperson Tom Neumayr told CNET. "This will also be addressed with iOS 6."

The exploit was created by Russian programmer Alexey Borodin, and appeared late last week. It uses a proxy system to send purchase requests to third-party servers where they are validated and sent back to the application as if the transaction had gone through. In order to use the trick, users needed to install special security certificates on their devices, as well as be on a Wi-Fi network.

The new support document includes details on how to set up protection through Apple's receipt validation system as well instructions for validating transactions that have already been completed. In addition to posting the information on its site, Apple sent out the following e-mail to developers urging them to set up the receipt validation:

It's unclear how many developers were, and continue to be targeted by the exploit. In an interview with The Next Web last week, Borodin said that more than 30,000 in-app purchases were made using the service.