in this senario

Before client sends verify receipt to developer server, the receipt data can be recorded and replayed to developer server,

1. suppose the receipt data is <receipt-something>, it's verified, and buy transaction has finished.

2. add a space to receipt data <receipt-something><space>

3. submit to developer server again

4. developer server will first base64 the <receipt-something>, with a trailing space, the wrap it into a JSON object like {'receipt-data': <receipt-something><space>}, then send it to https://buy.itunes.apple.com/verifyReceipt

5. apple server will return status = 0

6. now you can buy IAP stuff using the same receipt over and over and over again.

7. ???

8. Profit!!!11!111

see also this thread, especially comment by Ben S

btw I am still trying to figure out how to do a rollback transaction. lol