4'

iPhone: a zero-day vulnerability allows spying on your personal data

Abdullah MustaphaMay 6, 2020

After a serious mail vulnerability, a new zero-day vulnerability has appeared in iOS and iPadOS. Apple is again struggling with a zero-day bug. This affects the latest iOS version 13.4.1. The bug was found by a Swiss hacker with the alias «Siguza».

As «Siguza» explains in a long text on GitHub, users’ personal data can be hacked due to a bug in reading XML files. It allows hackers to bypass certain security checks before publication on the App Store. This enables applications to have unlimited privileges.

iPhone vulnerability: Malicious apps could already be in the app store.

This enables cybercriminals to carry out every conceivable type of attack. “Siguza” is also not sure whether the app store review would have identified malicious apps.

Gizchina News of the week

Join GizChina on Telegram

However, as «Siguza» writes, the bug will be eliminated with the upcoming iOS 13.5 update. He also added that:

As far as first 0days go, I couldn’t have wished for a better one. This single bug has assisted me in dozens of research projects, was used thousands of times every year, and has probably saved me just as many hours. And the exploit for it is in all likelihood the most reliable, clean and elegant one I’ll ever write in my entire life. And it even fits in a tweet!!
Well over 3 years since discovery is not half bad for such a bug, but I sure would’ve loved to keep it another decade or two, and I know I’ll dearly miss it in the time to come.
We can also ask ourselves how a bug like that could ever exist. Why there are 4 different plist parsers on iOS. Why we are still using XML even. But I figure those are more philosophical than technical in nature. And while this entire story shows that it might be a good idea to periodically ask ourselves whether the inaccuracies of our mental models are acceptable, or something should be documented and communicated more thoroughly, I really can’t accuse Apple of much here. Bugs like these are probably among the hardest to spot, and I have truly no idea how the hell I was able to find it while so many others didn’t.
At the time of writing, this bug is still present on the latest non-beta version of iOS. The whole project is available on GitHub.

Disclaimer: We may be compensated by some of the companies whose products we talk about, but our articles and reviews are always our honest opinions. For more details, you can check out our editorial guidelines and learn about how we use affiliate links.

Source/VIA :

Siguza

About the author

Abdullah Mustapha
I'm the ANDROID & CUSTOM ROMs EXPERT of GizChina for the past 5 years. With an unwavering passion for all things tech and a love for exploring the limitless possibilities of Android devices, I'm thrilled to be part of this incredible community.

iPhone vulnerability: Malicious apps could already be in the app store.

Gizchina News of the week

Abdullah Mustapha

Today in Home