Fixing the exploit won't be too difficult for Apple, but Tabini says, "I can't think of an easy way to solve this problem without an iOS update." While the servers that power Borodin's exploit are currently down at this writing, there's nothing to stop them from sprouting up again, or even to block him from releasing the code so that anyone can run it. That means that customers who don't install the presumed iOS update that would patch this vulnerability could, in theory, continue to avail themselves of free in-app purchases for apps that continue to validate as they always have.

Apple could also change how app makers validate their receipts--which seems like a must. But that process will take time. In the meantime, developers can protect their apps against the exploit by switching to secure, Web-based receipt validation. But that fix will only work for users who upgrade to the latest version of their apps.

As for Borodin, he didn't seem particularly concerned about what Apple does next. Asked if he was afraid about what Apple's response to him directly might be. "No," he replied, adding, "I'm a happy user of iPhone 4S ... I think they will hire me."