According to a report by 9to5Mac and elsewhere, the hack works by installing alternate security certificates and changing a device's DNS records to direct traffic through a server run by Alexey V. Borodin.

The Next Web reports that Borodin claims his site doesn't collect any personal information from users, besides their Apple IDs and passwords, and that more than 30,000 in-app purchases have passed through his servers so far, free of charge.

Apple's in-app purchasing system allows developers to verify in-app purchases using their own servers rather than Apple's, and that seems to be the only way currently to close loophole.

In-app purchases were introduced to iOS 3.0 in June of 2009. Developers use the system as a method of offering additional premium features or game content. They can be designed as one-time upgrades, or as replenishable items, such as in-game currencies. In-app purchases also allow subscriptions, such as magazines and newspapers offered via Apple's Newsstand app.

At press time Borodin's server for facilitating the hack was still active and requesting donations.

Apple has not yet responded to requests for comment.