An iOS exploit has been discovered that allows users to download in-app purchases for free.
Apple is investigating the hack, which fools apps into communicating with a spoof version of the App Store run on a custom server.
The server, set up by enterprising Russian coder Alexey V. Borodin, fakes the code receipts used by Apple that validate in-app purchases.
"Every in-app receipt is generic," Borodin told Macworld. The system was "easy to spoof", he added.
"It's my hobby, and it's a challenge to [freemium iOS game] CSR Racing."
The impressive-looking CSR Racing is free to download on iOS devices. Its developer is funding the project entirely through people paying for extras via in-app purchases.
"I set this up due to hungry and lazy developers. I was very angry to see that CSR Racing developer taking money from me every single breath."
Borodin's server has already buckled under the strain of people using the exploit.
The hack doesn't work for all in-app purchases, however. Those that use a different system of validating the download - by recognising the user's own iOS device - are safe. Still, a vast number of apps could be affected.
"The security of the App Store is incredibly important to us and the developer community," Apple spokeswoman Natalie Harrison said in response to the exploit. "We take reports of fraudulent activity very seriously, and we are investigating."
Borodin remains unconcerned about repercussions from his activities. "I'm a happy user of iPhone 4S," he concluded. "I think they will hire me."