A pair of white-hat hackers has discovered a Safari vulnerability that allowed them to steal files from an iPhone X running the latest software.
The duo, Richard Zhu and Amat Cama, teamed up under the moniker Fluoroacetate to demonstrate the exploit at the Zero Day Initiative’s Mobile Pwn2Own contest in Tokyo, Japan on Wednesday.
According to the Zero Day Initiative, the duo successfully pulled off the attack, and in doing so, won a $50,000 prize. Apple has also been informed about the vulnerability, per the contest’s rules.
The exploit leveraged a previously unknown vulnerability in Apple’s Safari web browser. The hackers were able to steal a recently deleted photo from an iPhone X device running Apple’s latest iOS 12.1 software update.
Confirmed! The @fluoroacetate duo combined a bug in JIT with an Out-Of-Bounds Access to exfiltrate data from the iPhone. In the demo, they grabbed a previously deleted photo. In doing so, they earn themselves $50K and 8 Master of Pwn points. #P2OTokyo
— Zero Day Initiative (@thezdi) November 14, 2018
Reportedly, Zhu and Cama connected to the target iPhone using a malicious Wi-Fi access point. They then combined an unpatched just-in-time (JIS) compiler bug with an Out-Of-Bounds Access to steal a file from the iPhone X’s disk.
A JIS compiler is a software program that translates computer code while an app is running. Although meant to make devices faster, they can be vulnerable to malicious attacks.
A Zero Day Initiative spokesperson called the attack a “coffee shop scenario,” meaning that it could be leveraged when users are connected to unprotected free Wi-Fi networks in public.
While the proof-of-concept attack only stole a recently deleted photo, Forbes points out that the vulnerability could be used to steal any file from a target iPhone. The duo only chose the deleted photo because it was the first file that appeared during their attack.
Of course, the photo wasn’t actually “deleted.” Instead, it was marked for deletion and placed in Apple’s “Recently Deleted” folder in Photos.
That allows users a failsafe against accidentally (and permanently) deleting images. But it also keeps the file on disk for 30 days before it’s officially wiped from the device. Users can, of course, permanently delete photos in Recently Deleted manually.
It’s worth noting that the duo also demonstrated a similar attack on an iPhone X earlier last week.
The iPhone X, in fact, was the target of a handful of other attacks at the Pwn2Own Tokyo 2018 conference. Many of those exploits ended up failing, however — owing to the tough encryption and security standards that Apple bakes into their devices.
Still, Zhu and Cama managed to rake in a total of $215,000 in prize money and ended up winning the Mobile Pwn2Own 2018 contest in general. Zhu, for his part, is an experienced iOS hacker with a proven track record of finding vulnerabilities in Apple’s software.
Pwn2Own is an annual white-hat hacking contest sponsored by Trend Micro’s Zero Day Initiative. It offers cash and other prizes to security researchers and hackers who find and demonstrate vulnerabilities.
The exploits are then shared with impacted firms so that they can patch them. In this case, it’s likely that Apple will issue a security fix for the vulnerability in an upcoming version of iOS.