Alexey V. Borodin, a computer hacker from Russia, has figured out a way to implement a "man-in-the-middle" exploit in the Apple App Store that allows anyone who uses his technique a way to get free in app purchases.
The exploit, which works mostly on games where you buy a new level, power ups, and the like, allows you to send traffic to Borodin's web server that is setup to look like an Apple App Store server and then sends your iOS device a bogus acknowledgment that you've paid for the said app upgrade.
At the time I'm posting this, the bogus server that Borodin setup is offline. I'm not sure if that is because he was ordered to take it offline or that it is so busy from people trying to exploit the hack, that the server is just too busy to respond.
Update - 7/16/12
It didn't take long, but Apple has unleashed their engineers and lawyers. The service that allows free downloading of some in-app purchases has been shutdown and I'm sure the engineering teams are hard at work beefing up security features for the next version of Mac OS X and iOS.