Marco Arment, developer of Instapaper, believes that the hack will only work with standalone in-app purchases, not subscription-based ones like Newsstand apps employ. Via email, Arment told Macworld: "It probably won't affect the auto-renewing subscriptions, since they rely on a lot of server-side processing to track, but it wouldn't surprise me if it could affect any other [in-app purchase] type (including non-renewable 'subscriptions' like what Instapaper uses) if the apps don't check with Apple's verification servers from their own web services."
iOS users who try the hack may find that, in addition to robbing the developers behind apps that they enjoy, they've put themselves at risk. "I can see the Apple ID and password," for accounts that try the hack, Borodin told Macworld. "But not the credit card information." Borodin said that he was "shocked" that passwords were passed in plain text and not encrypted.
According to Tabini, though, "Apple presumes it's talking to its own server with a valid security certificate." But that was clearly a mistake--"This is entirely Apple's fault," Tabini added.
What next
Fixing the exploit won't be too difficult for Apple, but Tabini says, "I can't think of an easy way to solve this problem without an iOS update." While the servers that power Borodin's exploit are currently down at this writing, there's nothing to stop them from sprouting up again, or even to block him from releasing the code so that anyone can run it. That means that customers who don't install the presumed iOS update that would patch this vulnerability could, in theory, continue to avail themselves of free in-app purchases for apps that continue to validate as they always have.
Apple could also change how app makers validate their receipts--which seems like a must. But that process will take time. In the meantime, developers can protect their apps against the exploit by switching to secure, Web-based receipt validation. But that fix will only work for users who upgrade to the latest version of their apps.
As for Borodin, he didn't seem particularly concerned about what Apple does next. Asked if he was afraid about what Apple's response to him directly might be. "No," he replied, adding, "I'm a happy user of iPhone 4S ... I think they will hire me."
