Safari exploit used to gain control of iPhone at Pwn2Own
A team of Dutch researchers used a WebKit vulnerability in Mobile Safari to gain access to a fully patched iPhone 4S during a recent mobile Pwn2Own challenge. The attack circumvented Apple's code-signing requirements and grabbed the entire address book, photo and video database and web browsing history. It could not download SMS or emails from the device because those databases were not accessible and also encrypted.
Though it was executed against an iPhone 4S with iOS 5, the vulnerability is also present in iOS 6. The Dutch team, led by Joost Pol of Certified Secure and colleague Daan Keuper, tested the exploit in the gold master version of iOS 6. They also confirmed it worked on all previous versions of the iPhone, iPad and iPod touch. Unless an update to iOS 6 happens before launch day, it will also be possible on an iPhone 5.
From detection to completed code, the exploit took about three weeks to develop and refine. You can read more about the exploit and Dutch research team on ZDnet's website.
Subscribe to Newsletter
Software Updatesmore updates
- NFL Mobile updated for 2014 Season with new Fantasy Football features, NFL Now integration
- Yahoo Mail improves email inbox searching with new filtering options
- Ember for Mac gains 'hugely-requested' screen recording feature
- Spotify update adds equalizer, refreshed Artist page and more
- Fantastical 2.1 for iOS adds new snooze, search and notification features
- ExpanDrive 4, more services and faster sync