Hackers release browser-based 'jailbreak' for iPhone 4
Hackers on Sunday released the first "jailbreak" for the iPhone 4, a browser-based exploit that allows users to run unauthorized code. However, some reported that the modification results in broken MMS and FaceTime functionality.
A hacker who uses the handle "comex," a member of the iPhone Dev Team, released the hack through a website, jailbreakme.com. Users can visit the site in their iPhone browser to begin the jailbreaking process.
The software modification is the first release for Apple's latest handset hardware, the iPhone 4. Some users reported that the jailbreak managed to break FaceTime and MMS functionality on the device.
Comex, via twitter, said that he was able to reproduce the issues, and is working on a fix. The latest jailbreak does not work with iPads running iOS 3.2.1.
Unlike previous jailbreaks, which required users to run software on their Mac or PC and tether their iPhone to their computer, the latest hack is done entirely within the Safari browser. Users simply visit the URL to begin the process, which modifies the iOS mobile operating system found on the iPhone, iPod touch and iPad.
The iPhone 4 jailbreak comes less than a week after the U.S. Library of Congress officially made it legal for users to jailbreak their iPhone to run unauthorized software. The government approved the measure as an exemption to a federal law which prevents the circumvention of technical measures that keep users from accessing and modifying copyrighted works.
The warranty-voiding jailbreak process allows users to run software not approved by Apple, which has no plans to allow users to install third-party applications downloaded from outside its sanctioned App Store. Hackers have created their own custom applications -- many free, and some for purchase from an alternative storefront known as Cydia.
Jailbreaking can also be used to unlock a phone, allowing it to be used on carriers that do not have access to the iPhone.
Apple has been criticized for its strict control over the iPhone App Store, requiring that all applications be approved before they are made available for download. The company has defended this practice, stating that it keeps faulty and potentially dangerous software from being made available, as well as banning unsavory content such as pornography.
In addition to allowing access to legitimate third-party software, both free and paid, through services like Cydia, jailbreaking can also be used to pirate App Store software, one major reason why Apple has fought the practice.
A hacker who uses the handle "comex," a member of the iPhone Dev Team, released the hack through a website, jailbreakme.com. Users can visit the site in their iPhone browser to begin the jailbreaking process.
The software modification is the first release for Apple's latest handset hardware, the iPhone 4. Some users reported that the jailbreak managed to break FaceTime and MMS functionality on the device.
Comex, via twitter, said that he was able to reproduce the issues, and is working on a fix. The latest jailbreak does not work with iPads running iOS 3.2.1.
Unlike previous jailbreaks, which required users to run software on their Mac or PC and tether their iPhone to their computer, the latest hack is done entirely within the Safari browser. Users simply visit the URL to begin the process, which modifies the iOS mobile operating system found on the iPhone, iPod touch and iPad.
The iPhone 4 jailbreak comes less than a week after the U.S. Library of Congress officially made it legal for users to jailbreak their iPhone to run unauthorized software. The government approved the measure as an exemption to a federal law which prevents the circumvention of technical measures that keep users from accessing and modifying copyrighted works.
The warranty-voiding jailbreak process allows users to run software not approved by Apple, which has no plans to allow users to install third-party applications downloaded from outside its sanctioned App Store. Hackers have created their own custom applications -- many free, and some for purchase from an alternative storefront known as Cydia.
Jailbreaking can also be used to unlock a phone, allowing it to be used on carriers that do not have access to the iPhone.
Apple has been criticized for its strict control over the iPhone App Store, requiring that all applications be approved before they are made available for download. The company has defended this practice, stating that it keeps faulty and potentially dangerous software from being made available, as well as banning unsavory content such as pornography.
In addition to allowing access to legitimate third-party software, both free and paid, through services like Cydia, jailbreaking can also be used to pirate App Store software, one major reason why Apple has fought the practice.
Comments
Apple should fix this quick. It is horrible to execute a hack within the confines of a mobile browser.
Just avoid visiting that website.
I wonder who will get the blame? Is there any question who it will be? What will the trolls attack as an insecure, useless device? Who will the tech blogs go after? The iPhone Dev-Team? The ass hat users who compromised their phones? The malware author? Nope. We all know who they will go after don't we.
...We all know who they will go after don't we.
The Library of Congress?
Personally, I'd wait a week to run this. comex et al are a good group, but it's always good to let a few days to a week pass before you brick your phone.
Can't permanently brick your iPhone with jailbreaking, but waiting for a new iOS jailbreak is good none the less.
I'm all for jailbreaking the phone but it's a bit scary that you can run code in a browser to do it. This just waiting for someone to exploit some high profile commercial site and pwn hundreds of thousands of iPhones...
Apple should fix this quick. It is horrible to execute a hack within the confines of a mobile browser.
Yep. It?s one thing to access your system with a direct connect hack, but to access it via a website means that Safari and iOS has a major hole.
Umm, doesn't this mean that a malicious website could also "jailbreak" the iPhone and install a rootkit, then do really bad things with your phone, steal your information, call 976 numbers, and so on?
I'm all for jailbreaking the phone but it's a bit scary that you can run code in a browser to do it. This just waiting for someone to exploit some high profile commercial site and pwn hundreds of thousands of iPhones...
It does mean there can be access to root but I think that it can’t be done without user intervention that exceeds going to the website. Could it be cleverly hidden so users don’t realize what they are doing? Possibly.
Ok, that was very dumb of the author of the exploit to allow such a method to get into the public light. It obviously takes one heck of a security bug or several to be able to execute code that can jailbreak a device through the web browser. If Apple does not fix that exploit now, they could have one hell of a mess on their hands. If someone manages to get you to go to a link, or hijacks the browser.... This was a total blackhat move to just drop an exploit like this into the wild.
Nonsense. All Apple products are super secure. Only jailbreakers can get hacked.
Nonsense. All Apple products are super secure. Only jailbreakers can get hacked.
It takes one hell of a hack to jailbreak an iPhone through the web browser. It's not a hard concept to understand. You should not be able to run a program on an unjailbroken phone that could perform superuser operations that will grant superuser operations to the default user account on the phone. To be able to do such a thing is an exploit and a hack. If someone can run a jailbreak program through the browser they can essentially run anything they want. If you understand how to jailbreak or root a phone, you would understand this. This is a HUGE security flaw.
...It obviously takes one heck of a security bug or several to be able to execute code that can jailbreak a device through the web browser. If Apple does not fix that exploit now, they could have one hell of a mess on their hands...
Relax. If a software update doesn't fix the issue, then a press conference surely will. Most likely, million dollar labs are behind the security of iOS4. Plus, it's a challenge for the entire mobile industry, as you can see from this thread: http://forums.appleinsider.com/showt...hreadid=111796 (well, their problems may not be as specific, but having a browser exploit to hack your phone just marks the spot.)
I've JB two iPhone 4's and after the install is complete everything works fine. When you need to restart your iPhone 4 you lose two key features, FaceTime and MMS. I've heard you can do a restore to get it back but i've not been able too.. Let me know if anyone else has the same probs or has a work around
They've fixed that. Facetime / MMS are ok.
Number one reason to JB....MyWi. Simply brilliant.
http://www.cultofmac.com/mywi-tether...k-review/43645
Relax. If a software update doesn't fix the issue, then a press conference surely will. Most likely, million dollar labs are behind the security of iOS4. Plus, it's a challenge for the entire mobile industry, as you can see from this thread: http://forums.appleinsider.com/showt...hreadid=111796 (well, their problems may not be as specific, but having a browser exploit to hack your phone just marks the spot.)
But there is the question of how the rootkit gets onto the phone. If it could be loaded onto your phone through a drive-by download through an exploit in the web browser, I would say the developer of the browser you are using has a problem on their hands. Otherwise a root-kit is only a root-kit and would still take user intervention to get onto the phone. The question to be asked at this moment is can the jailbreak be run without requiring the user to do anything? The answer to that question is the most important one that people should be asking right now. No phone is secure, and I am not trying to say Android does not have security holes either, to contrast, I would put your mentioned root-kit at moderate, but a browser flaw that also gains superuser access is critical if it can run without permission, because that is exactly the kind of way that a root-kit could be installed onto a phone.