All your pictures, contacts and browsing history available.
During the Mobile Pwn2Own competition held at Amsterdam, two researchers from a Dutch security firm managed to hack the iPhone 4S through a malicious website. The exploit, which bypasses Safari’s security measures, allows the hacked iPhone 4S’ pictures, address book and browsing history to be sent to any server.
The exploit was made using a bug found in WebKit, in just “three weeks.” According to Joost Pol, one of the researchers at Certified Secure, the exploit code can be embedded anywhere on the website, stating that “We could embed the code in advertisements on news sites for example.”
The exploit will be sent to Apple directly so that a fix can be issued by them. However, it should be noted that the security flaw was found in WebKit, an open source engine framework used in both Apple’s Safari and Google’s Chrome browsers, and that Apple isn’t squarely at fault.
“You know, people think that these things are so hard to do, that it’s only theoretical and that it’s only Charlie Miller or Willem Pinckaers (previous Pwn2Own winners) capable of doing this. There are many people — good and bad — who can do this. It’s important for people to understand, especially businesses, that mobile devices should never be used for important work,” Pol told ZDnet.
The hacked iPhone 4S was running iOS 5.1.1 as well as the Developer Build of iOS 6, which means that the iPhone 5 is also susceptible to this exploit. Additionally this exploit also works on iPads as well.
The two researchers Joost Pol and Daan Keuper won $30,000 for the hack at the Mobile Pwn2Own competition.