Apple has started emailing developers today, with more information regarding the recently-discovered in-app purchasing exploit. Earlier this month, news broke of a hack that allowed users to acquire paid in-app content, for free.
The email contains a link to a new support page, posted on Apple’s developer website, that provides devs with information on the issue, and offers up a temporary fix. It also states that a permanent patch is coming in iOS 6…
9to5Mac shares an excerpt from the new support page:
“A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attack. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies that attacker’s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid.”
Apple has also provided a Q&A section for three of the most frequently asked questions from developers over the past few days. If you’re a developer, or just interested, you can find them here.