replay attack on Apple IAP receipt

in this senario

Before client sends verify receipt to developer server, the receipt data can be recorded and replayed to developer server,

  1. suppose the receipt data is <receipt-something>, it's verified, and buy transaction has finished.

  2. add a space to receipt data <receipt-something><space>

  3. submit to developer server again

  4. developer server will first base64 the <receipt-something>, with a trailing space, the wrap it into a JSON object like {'receipt-data': <receipt-something><space>}, then send it to

  5. apple server will return status = 0

  6. now you can buy IAP stuff using the same receipt over and over and over again.

  7. ???

  8. Profit!!!11!111

see also this thread, especially comment by Ben S

btw I am still trying to figure out how to do a rollback transaction. lol