Chinese iOS jailbreakers called the Pangu Team have found a vulnerability that affects almost 10% of iOS apps in the store. The attack can wipe users data when the code is being executed.
The vulnerability has been named ZipperDown although the researchers didn’t give out any technical details because the vulnerability is still in the wild, the team are currently asking the app developers to contact them privately for technical details of the vulnerability so that they can test their applications for the presence of the vulnerability.
The Pangu Team found multiple iOS apps that are vulnerable to ZipperDown. They have built a mobile threat intelligence platform called Janus to perform deep and wider scans and the platform has tested 168,951 apps and out of them, 15,978 were found vulnerable. The security flaw is not new but the Pangu Team were not expecting so many applications to be affected by it. The effect of the Zipperdown depends on the app permissions given by the user. “In general, attackers could overwrite the affected app’s data, or even gain code execution in the context of the affected app.”
The typical attack vector for this vulnerability is through the traffic hijacking and spoofing the data over wireless networks. The researchers have even made a video demo where they have managed to execute the arbitrary JavaScript Code in the Weibo app using an unsafe wireless environment. The Pangu team has manually verified Chinese apps such as Weibo, MOMO, NetEase Music, QQ Music and Kwai whose user-base exceeds 100 million users.
The developers will hopefully fix their applications and correct the error where needed but in general, it is preferred for the users to use a Virtual Private Network for their own safety as this service prevents traffic spoofing and other man-in-middle attacks.
Take your time to comment on this article.