Update: Manton Reece points out that the issue of in-app purchases being made without challenge is probably due to the App Store's holding onto purchase authentication for a few minutes after buying or updating an app. Craig Hockenberry cites the advantages and potential pitfalls of 'communal computing' on iDevices.
Several iPhone and iPad users have noticed charges totaling several hundred dollars on their iTunes accounts. At first, the issue looked to be part of the App Store's recent woes, but it appears to be linked to an app called Fishies from PlayMesh -- best known for its iFarm app.
Fishies allows you to create a virtual fish tank. You can raise fish, become friends with other users and make purchases for your underwater world. The program itself is cute and colorful, therefore appealing to kids. While the app itself is free, you have to purchase in-game currency called virtual pearls. These run from 99 cents for 10 pearls to $149.99 for 1950. To do this, you need to input your iTunes account information -- though some are reporting that the app isn't prompting for this before the purchase is made.
Designer Mike Rohde wrote on Friday that the app had made nearly $200 in unauthorized purchases from his iTunes account. When his son asked for permission to buy virtual pearls, Rohde turned him down and urged him to sell items to generate currency for free. When both father and son tried to do this, the program kept crashing. Later, they discovered that the app had gone ahead and purchased the pearls without any iTunes account information entered.
There are other reports ranging from a 13-year-old purchasing $375 worth of virtual pearls (although in that case, the kid had Dad's iTunes credentials) to a Scottish man who had £485 ($730) disappear from his account after the program did not prompt him to enter in his iTunes information. The FIshies app itself has nearly 700 1-star comments on the App Store, many citing frequent crashes of the sort that led to inadvertent purchases. Other complaints include the inability to receive the in-game currency after purchases were authorized.
As of yet, there has been no comment from PlayMesh. As of today, Fishies is not even listed among the company's games. Apple's response has been to tell customers to file a dispute with their bank or credit card company, although after Rohde called Apple's iPad support line (suggested by Paul Thurott's similar experience) he did get a refund from Apple for the largest purchase.
If you do have this app, the best suggestion for now is to delete it from your iOS-operated system until the bugs are worked out [or make sure that you aren't entering your password on your device for other purchases and then handing it immediately to your kid]. If you worry that questionable purchases are being made, unlink your credit card from your iTunes account and dispute the charges. If you want to keep the app, turn on Restrictions (aka parental controls) to prevent access to in-app purchases.
[Hat tip to Daniel Jalkut]