Just as Masas found a vulnerability in Facebook and got rewarded, the Fluoroacetate duo, Richard Zhu and Amat Cama earned $50,000 for finding a hack on iPhone X!
The Fluoroacetate duo found a hack that allowed them to catch a photo that was deleted from the device!
During a Pwn2Own contest in Tokyo, where hackers performed to locate bugs in iOS and Android, two hackers who teamed up as “Fluoroacetate” discovered a vulnerability in the iPhone X. Apple was informed of the bug as soon as the duo traced the scenario and demonstrated it. The duo found this bug on the latest iOS (12.1) and reported it according to the Pwn2Own rules.
The hack retrieved a photo that was deleted from the cell phone.
However, the image was accessed from the recently deleted folder. This recently deleted folder was accessed through a third party interaction which in the case mentioned above, was a malicious Wi-Fi access point. As per the Forbes report, the hack was capable of retrieving a lot more information than just a deleted image.
If we consider the iPhone X functionality, any picture that you delete prompts a message that tells that the picture would be deleted from both, the device and the iCloud storage. As soon as you proceed with “Delete,” the photo is deleted from the parent folder but remains in a recently deleted folder for about 30 days. This is the case if you have an iCloud storage. Otherwise, the picture is immediately deleted from both the parent folder as well as the recently deleted items.
Confirmed! The @fluoroacetate duo combined a bug in JIT with an Out-Of-Bounds Access to exfiltrate data from the iPhone. In the demo, they grabbed a previously deleted photo. In doing so, they earn themselves $50K and 8 Master of Pwn points. #P2OTokyo
— Zero Day Initiative (@thezdi) November 14, 2018
However, the duo found a way to access this recently deleted folder due to the vulnerability in the Just-in-time compiler used in iPhone. The Just-in-time compiler processes code as the program runs, which increases the device’s performance. It was learned that due to this vulnerability in the compiler any malicious, remote actor can access the information on the device. The Fluoroacetate duo used an image to demonstrate this scenario during the contest.
The bug is expected to resolve by the next update. Until then, the iPhone X remains vulnerable to attacks from malicious access points.
Wait for Apple’s next update. Until then, stay tuned!