Safari vulnerability lets hackers swipe recently deleted photos from iPhone X

Posted:
in iOS edited November 14
White-hat hackers Richard Zhu and Amat Cama at the Mobile Pwn2Own contest on Wednesday leveraged a previously unknown exploit that allowed the pair to extract a supposedly deleted photo from an iPhone X running the latest iOS 12.1.

Pwn2Own
Amat Cama (left) and Richard Zhu (middle) demonstrate an iPhone X attack at Mobile Pwn2Own 2018.


According to show sponsor Trend Micro's Zero Day Initiative, Zhu and Cama successfully demonstrated an attack involving Apple's Safari web browser to earn $50,000 on the Pwn2Own show floor in Tokyo.

The duo, operating as team Fluoroacetate, connected to the target iPhone X via a malicious Wi-Fi access point, then combined an unpatched just-in-time (JIS) compiler bug with an Out-Of-Bounds Access to grab a file from the phone's disk. A day earlier, Fluoroacetate plied a similar method for a sandbox escape and escalation on iPhone X over Wi-Fi.

As noted by Forbes, the potent attack can theoretically grab any number of files from a target device, but the photo happened to be the first file the pair came across in the exercise.

A closer look at the hack reveals the stolen photo was merely marked for deletion, meaning it was still on disk and showed up in Photo's "Recently Deleted" folder. Apple's iOS maintains a Recently Deleted album as a safeguard against accidental image deletion.

When a user "trashes" a photo, it remains on disk for 30 days, presenting an opportunity to recover the file. Images can be permanently destroyed by manually deleting them from the Recently Deleted album.

As per Pwn2Own's rules, Apple has been informed of the exploit and is presumably working on a fix that should be delivered in a future iOS update.

Apple's iPhone X was the target of multiple attempts at this year's Pwn2Own, including an unsuccessful browser attack from MWR Labs and a failed baseband exploit from Zhu and Cama.

Fluoroacetate racked up a total of $215,000 in prizes to win Mobile Pwn2Own 2018. Zhu is a veteran iOS hacker with a record of successful attacks, including the bypass of iPhone 7 security protocols using two Safari bugs at last year's Mobile Pwn2Own event.

Started in 2007, Pwn2Own is an annual hacking contest that offers cash and prizes to security researchers who find, share and demonstrate zero-day vulnerabilities impacting a range of modern software and hardware. Vendors are provided information about the exploits, giving them a chance to patch the bugs, hopefully before they are leveraged for nefarious means.

Comments

  • Reply 1 of 16
    title makes the issue much worse than it seems. annoyed with journalism these days. yeah...it's technically true, but it's also misleading.
  • Reply 2 of 16
    The fact that the file was a “deleted photo” isn’t really relevant.

    Congrats to the white hat for finding the vulnerability and getting a payday.

    Browsers are the easiest attack vectors besides social engineering attacks, always use a VPN.

    Google has a VPN service, I’m surprised Apple hasn’t offered one... probably doesn’t want to step on government toes.

    Google is doing it to keep the ad revenue flowing, so there’s that.  Personally, I’d never use Googles...
    cornchipwatto_cobra
  • Reply 3 of 16
    sflocalsflocal Posts: 4,301member
    And while there are articles about ONE iOS flaw which is probably patched as I write, Android on the other hand is so ridiculously insecure, no one bothers to write anything about it.
    macseekerslprescott
  • Reply 4 of 16
    SoliSoli Posts: 8,403member
    The fact that the file was a “deleted photo” isn’t really relevant.
    Deleted or saved, doesn't make a difference. It's not like we're talking about multiple nature photos where the worst ones were deleted. There could be nude photos, photos of  a DL or other picture that has personal and private information on it. I've certainly had to do that many times over the years, and as soon as I'm done supplying the proof I delete it… and I always assumed it was actually deleted since I've never seen a restore button for deleted photos on iOS.

    Google has a VPN service, I’m surprised Apple hasn’t offered one... probably doesn’t want to step on government toes.
    I pay for a VPN service which I use on Public WiFi, but CloudFlare, which introduced their fast, secure, no-tracking DNS service about a year ago now has an iOS and Android app. It's not a VPN for protecting all your data traffic, but on iOS (at least) it uses the VPN service for their DNS.


    Despite some potentially confusing language, you can use other VPN services, you just have to switch between them as you normally would once you get to an unsecured network.

    PS: My only qualm with how Apple treats all VPN services is they don't intelligently keep all their Apple-based traffic (or rather all non-VPN and local router splash screen) from being paused automatically until your VPN service connects. They don't even need to add this as an actual feature, but create the APIs so you can control this data flow from within the VPN apps themselves.


    sflocal said:
    And while there are articles about ONE iOS flaw which is probably patched as I write, Android on the other hand is so ridiculously insecure, no one bothers to write anything about it.
    It's kind of like breaking into and hot wiring a car. You got props if you can crack all the advanced security in a 2019 Bugatti Chiron in under 10 minutes, but no one cares that you can hotwire a 1984 Toyota Tercel in less than 60 seconds.
    edited November 14 neilmwatto_cobra
  • Reply 5 of 16

    According to the article, the victim would need to connect to a “malicious Wi-Fi access point” in order for this rarefied exploit to be worked.   Does that mean that the attacker has to setup a WiFi access point and hope that the victim(s) connects or can an attacker make use of any public WiFi access point to work the attack?  If it’s the former as implied, I don’t we need to get too lathered about it.  The problem with an article like is it fails to provide a clear understanding of the exploit or translate the risk; it's just a headline piece to get people worked up.  

  • Reply 6 of 16
    Soli said:

    sflocal said:
    And while there are articles about ONE iOS flaw which is probably patched as I write, Android on the other hand is so ridiculously insecure, no one bothers to write anything about it.
    It's kind of like breaking into and hot wiring a car. You got props if you can crack all the advanced security in a 2019 Bugatti Chiron in under 10 minutes, but no one cares that you can hotwire a 1984 Toyota Tercel in less than 60 seconds.

    That really made me laugh!

    Soliwatto_cobra
  • Reply 7 of 16
    I think Pwn2Own rulz!! I find white hat hacking very interesting.
    watto_cobra
  • Reply 8 of 16
    title makes the issue much worse than it seems. annoyed with journalism these days. yeah...it's technically true, but it's also misleading.

    You know you want to say it...Fake News!
    watto_cobra
  • Reply 9 of 16
    markbyrn said:

    According to the article, the victim would need to connect to a “malicious Wi-Fi access point” in order for this rarefied exploit to be worked.   Does that mean that the attacker has to setup a WiFi access point and hope that the victim(s) connects or can an attacker make use of any public WiFi access point to work the attack?  If it’s the former as implied, I don’t we need to get too lathered about it.  The problem with an article like is it fails to provide a clear understanding of the exploit or translate the risk; it's just a headline piece to get people worked up.  

    Generally speaking…

    Unless it says that the attacker only needs to be on the same network, then it’s implied that they must be able to intercept, and manipulate, data.

    In either case you should basically never connect to any WiFi that you don’t trust (and you can’t trust any of them until you actually can; including that you must verify that it isn’t a rogue spot with the same name as a trusted network).
    watto_cobra
  • Reply 10 of 16
    Soli said:
    I've certainly had to do that many times over the years, and as soon as I'm done supplying the proof I delete it… and I always assumed it was actually deleted since I've never seen a restore button for deleted photos on iOS.

    Since iOS 9 there has been an Album called "Recently Deleted" holding deleted photos for up to 30 days. Select any photo or video in that album and one of the choices is "Recover". If you want to really delete a photo you have to delete it first from the Library and then again from the Recently Deleted Album.
    Soliwatto_cobra
  • Reply 11 of 16
    SoliSoli Posts: 8,403member
    yoyo2222 said:
    Soli said:
    I've certainly had to do that many times over the years, and as soon as I'm done supplying the proof I delete it… and I always assumed it was actually deleted since I've never seen a restore button for deleted photos on iOS.

    Since iOS 9 there has been an Album called "Recently Deleted" holding deleted photos for up to 30 days. Select any photo or video in that album and one of the choices is "Recover". If you want to really delete a photo you have to delete it first from the Library and then again from the Recently Deleted Album.
    👍 Thanks for the info.
  • Reply 12 of 16
    volcanvolcan Posts: 1,737member
    seanismorris said:
    Browsers are the easiest attack vectors besides social engineering attacks, always use a VPN.
    Some websites are blocking traffic that appears to be coming from a VPN.
  • Reply 13 of 16
    SoliSoli Posts: 8,403member
    volcan said:
    seanismorris said:
    Browsers are the easiest attack vectors besides social engineering attacks, always use a VPN.
    Some websites are blocking traffic that appears to be coming from a VPN.
    Yeah. The Verge has been doing this for awhile now. 
    watto_cobra
  • Reply 14 of 16
    svanstrom said:
    markbyrn said:

    According to the article, the victim would need to connect to a “malicious Wi-Fi access point” in order for this rarefied exploit to be worked.   Does that mean that the attacker has to setup a WiFi access point and hope that the victim(s) connects or can an attacker make use of any public WiFi access point to work the attack?  If it’s the former as implied, I don’t we need to get too lathered about it.  The problem with an article like is it fails to provide a clear understanding of the exploit or translate the risk; it's just a headline piece to get people worked up.  

    Generally speaking…

    Unless it says that the attacker only needs to be on the same network, then it’s implied that they must be able to intercept, and manipulate, data.

    In either case you should basically never connect to any WiFi that you don’t trust (and you can’t trust any of them until you actually can; including that you must verify that it isn’t a rogue spot with the same name as a trusted network).
    That's the problem as I mentioned; the article is too vague but connecting to any open WiFi access point is problematic, esp. if it's a rogue spoofing a public hotspot.  Since the article is titled as Safari vulnerability, perhaps one could temporarily use another browser if essential to connect to a public hotspot.  Of course that might not work either but the article isn't helpful other than causing FUD.
    watto_cobra
  • Reply 15 of 16
    markbyrn said:
    svanstrom said:
    markbyrn said:

    According to the article, the victim would need to connect to a “malicious Wi-Fi access point” in order for this rarefied exploit to be worked.   Does that mean that the attacker has to setup a WiFi access point and hope that the victim(s) connects or can an attacker make use of any public WiFi access point to work the attack?  If it’s the former as implied, I don’t we need to get too lathered about it.  The problem with an article like is it fails to provide a clear understanding of the exploit or translate the risk; it's just a headline piece to get people worked up.  

    Generally speaking…

    Unless it says that the attacker only needs to be on the same network, then it’s implied that they must be able to intercept, and manipulate, data.

    In either case you should basically never connect to any WiFi that you don’t trust (and you can’t trust any of them until you actually can; including that you must verify that it isn’t a rogue spot with the same name as a trusted network).
    That's the problem as I mentioned; the article is too vague but connecting to any open WiFi access point is problematic, esp. if it's a rogue spoofing a public hotspot.  Since the article is titled as Safari vulnerability, perhaps one could temporarily use another browser if essential to connect to a public hotspot.  Of course that might not work either but the article isn't helpful other than causing FUD.
    Damn, you folks are critical!

    I don't need to know the full details of the exploit for the article to be interesting. It's a news piece, not a public service, self-protection tutorial.

    Details won't make it any less FUDdy for many of us anyway, since the concepts are well beyond what most average users understand. Knowing that it only happens if the attacker sets up a certain kind of network doesn't help me, because I haven't the slightest idea how to determine what kind of network I'm connected to!

    If you or anyone else is part of the IT-savvy cool-kid set that understands this stuff, I'm sure a quick search will turn up all kinds of nuts-and-diodes articles just oozing with detailed techie goodness. The rest of us, who are too stupid, lazy, or otherwise-occupied to learn what any of this means will come away with the message that no photo or document on our phones is every really secure. That's not a bad message.
  • Reply 16 of 16
    I think that there’s a little too much fixation on the bit about a malicious WiFi access point: I believe that was a precondition common to all of the exploits that involved networking. In many browser exploits (and probably this one, given that it’s browser-based and not something that’s further down in the network stack) it’s meant to supply the condition that an adversary can force a visit to a webpage that can deliver the the attack. In a real world scenario an attack like this could be delivered by compromising a third party website (like this one) and using it as the delivery mechanism. If that’s the case then a VPN wouldn’t help at all. 

    Slightly off-topic digression:
    In general, I think that the common wisdom about (non-corporate) VPNs and open WiFi networks is somewhat outdated. Any service that you are using over the Internet should be end-to-end secured (usually via TLS) in a way that is designed to be used over untrusted networks. If a service can’t be safely accessed over an open WiFi network (including a rogue AP) then it’s probably not a good idea to access it over the open Internet at all, VPN or no. 


Sign In or Register to comment.