A Safari vulnerability on the iPhone X has been revealed by two hackers at the Mobile Pwn2Own contest in Tokyo this week. Winners of the contest, part of the Fluoroacetate team, have discovered a bug that allowed them to access photos in the “Recently Deleted” folder of the Photos app on an Apple device running the latest iOS 12.1. For this discovery, Fluoroacetate team members Richard Zhu and Amat Cam have received a reward of $50,000 (roughly Rs. 36 lakhs) and 8 Master of Pwn points in the contest. Additionally, Apple has been warned of this vulnerability, as per the rules of the Mobile Pwn2Own contest.
Forbes reports that the two hackers came together to find this unique vulnerability in the Safari browser on Apple devices running iOS 12.1. However, the attack might not be limited to just photos. During the setup of the concerned iPhone, a photo had been deleted and remained on the disk. As it was the first file that the hackers found on the disk, it was used for the vulnerability demo.
The report goes on to explain that the bug was part of the JIT (just-in-time) compiler which is designed to make the iPhone faster by speeding up computer code compilation. In a “coffee shop scenario”, the two hackers managed to exploit this JIT compiler using an attack via a malicious Wi-Fi access point.
While Apple has been informed about this bug, it hasn't yet issued a resolution. The tech giant hasn't even released a statement yet, but we can expect that to happen soon given the popularity of this event.
It is turning out to be quite the time for Apple as it was recently caught up in a couple of fiascos. Firstly, analysts and suppliers have dropped iPhone shipment estimates leading the company to lose significant market value. Next, Gadgets 360 reported the alleged explosion of an iPhone X in the US after an update to iOS 12.1.