This week happened the Pwn2Own Tokyo 2018, an event where hackers team up to try to find flaws and vulnerabilities in devices and operating systems. In this edition, the tested smartphones were the Google Pixel 2, the Samsung Galaxy S9, the Huawei P20, the Xiaomi Mi6 and the iPhone X. And on the first day of the event, the hackers showed that they are not kidding, raising $ 225,000 in prize money for unveiling 13 vulnerabilities.
S9 Wi-Fi was also exploited, with hackers forcing the phone to visit a site without user interaction, then using an insecure redirect and an insecure app load to install a custom app.
And, no; iPhone X did not leave the competition unscathed. As highlighted by Forbes, the same hacking duo pocketed $ 60,000 for finding a hole in the device that allows you to recover a photo or file deleted by the user.
When deleting a photo on iPhone X, iOS first warns that it will be deleted from all connected devices on iCloud account (if you are using iCloud Photo Library); By choosing to delete, the photo then goes to an album of deleted images and remains there for 40 days until it is actually deleted.
Hackers have found a way to recover these recently deleted photos by exploiting a compiler vulnerability just in time (JIT), which supposedly processes the computer code while a program runs. If this compiler is compromised, you can recover recently deleted files. In theory, any data processed by the JIT compiler could be vulnerable to image attack was used only as a proof of concept.
Apple has been properly informed about the bug we will see when everything will be fixed.
via The Verge