The hack appears to originate from a Russian developer named ZonD80 and a video of the exploit can be seen here:
The hack doesn’t require your iPhone or iPod to be jailbroken and it apparently works on devices running iOS 3 and upwards. In technical terms, the hack relies on three steps including the installation of CA certificate, the installation of in-appstore.com certificate, and then the changing of DNS records in the device’s Wi-Fi settings.
The vulnerability resembles a similar one that affected the Mac App Store last year, so hopefully Apple will take steps to fix it quickly, or offer a new way for developers to validate the security certificates and make it harder for someone to subvert the in-app purchase process.
In the meantime, ZDNet published an article explaining how developers may be able to protect themselves from the vulnerability in the short term.