Recently, two researchers have demonstrated how an iPhone X vulnerability that could allow an attacker to access deleted pictures.
iPhone X Vulnerability Allows Hacking Deleted Pictures
At the recently ended Pwn2Own 2018 contest, two researchers demonstrated their hacking skills as they strived to win the contest. Yet, while doing so, they meddled with the iPhone X revealing an awkward hack. They allegedly discovered an iPhone X vulnerability that lets an attacker retrieve deleted files and photos.
The duo, Richard Zhu and Amat Cama, joined hands as fluoroacetate to discover the hack. As demonstrated, the hack simply involves exploiting the “recently deleted” feature in iPhone X. An iPhone retains any deleted file or picture for 30 days as “recently deleted”, after which, it disappears forever. After the 30-day time period, not even Apple stores the file (as claimed). However, during this time, the deleted files or photos remain vulnerable to being recovered.
The researchers exploited a vulnerability in the Apple Safari browser on a device running on iOS 12.1. Trend Micro’s Zero Day Initiative confirmed the hack in a tweet.
Success! The @fluoroacetate duo successfully demonstrated a browser attack on the iPhone X. Now off to the disclosure room for verification and details. A great start to Day Two of #Pwn2Own Tokyo. #P2OTokyo
— Zero Day Initiative (@thezdi) November 14, 2018
While the researchers retrieved a picture during the hack, the trick supposedly works to retrieve almost any deleted file.
Fix Maybe Coming
After the hackers presented details, Zero Day Initiative disclosed it in another tweet.
Confirmed! The @fluoroacetate duo combined a bug in JIT with an Out-Of-Bounds Access to exfiltrate data from the iPhone. In the demo, they grabbed a previously deleted photo. In doing so, they earn themselves $50K and 8 Master of Pwn points. #P2OTokyo
— Zero Day Initiative (@thezdi) November 14, 2018
As per the contest rules, Apple has been reported of the vulnerability. Hence, we may expect a fix to mitigate the flaw soon. Until then, iPhone X users need to stay wary of any possible hacks until a fix arrives.
While the users may be a bit troubled after the discovery, the hack brought some good fortune for fluoroacetate. Successful demonstration of this flaw made them win $50,000 with 8 Master-of-Pwn points.
This vulnerability marks just another glitch in iOS 12.1 posing a security threat to the users. It hasn’t been a while that we came to know of a lock screen bypass by exploiting Group Facetime.
