+ Reply
Results 1 to 20 of 20

Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.


Thread: Recently Discovered iOS Security Exploit Allows Users' Information To Be Accessed

is a discussion within the

Mac News

forums, a part of the

General Apple/Mac

section;
Charlie Miller, a well-known Mac hacker and researcher has reportedly found a way to sneak malware into the App Store and subsequently onto any iOS device through the use of
...
  1. #1
    MMi Staff Writer Akshay Masand's Avatar
    Join Date
    Sep 2011
    Location
    New York City
    Posts
    3,890
    Thanks
    3
    Thanked 122 Times in 107 Posts

    Default Recently Discovered iOS Security Exploit Allows Users' Information To Be Accessed


    Charlie Miller, a well-known Mac hacker and researcher has reportedly found a way to sneak malware into the App Store and subsequently onto any iOS device through the use of exploiting a flaw in Apple’s restrictions on code signing. According to Forbes, the restrictions allow the malware to steal user data and take control of certain iOS functions.

    Miller explained that the code signing restrictions allow only Apple’s approved commands to run in an iOS device’s memory and apps that violate these rules aren’t allowed in the App Store. He found a way to bypass Apple’s security check by exploiting a bug in iOS code signing, one which allows an app to download new and unapproved commands from a remote computer. The malware can then be used to read user’s contacts, make the phone vibrate or sound a ringtone, steal user’s photos, and more whenever the developer chooses. According to Miller:

    Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check. With this bug, you can’t be assured of anything you download from the App Store behaving nicely.
    The flaw first surfaced with the release of iOS 4.3, which increased browser speed by allowing javascript code from the internet to run on a much deeper level in a device’s memory than in previous iterations of the iOS platform. Miller was able to realize that the increased speed forced Apple to create an exception for the browse to run unapproved code, and the researcher soon was able to find a bug which allowed him to expand the code beyond the browser to any app downloaded from the App Store.

    To showcase the exploit he found, Miller created an app called “Instastock,” which he submitted and Apple approved. The app appears to be a simple stock ticker but it can leverage the code signing bug and communicate with Miller’s server to pull unauthorized commands onto the affected device. From there the program has the ability to send back user data including address book contacts, photos, and other files. The app has been pulled from the App Store and according to a recent tweet of his, Miller has been banned from the Apple Store and kicked out of the iOS Developer program as well.

    To provide more info on the exploit, Miller will be giving a talk at the SysCan conference in Taiwan next week. He won’t be public revealing the exploit though giving Apple time to fix the issue at hand. He does do a good job of showing it off in a video, which can be found below:



    For those of you who don’t already know, Charlie Miller isn’t a novice when it comes to iOS or Mac security. In 2008, Miller broke into the MacBook Air in two minutes through Safari amongst many other feats.

    What do you think of the whole ordeal? Do you think Apple made a smart move in banning him? Share any thoughts below!

    Source: Forbes, Twitter

  2. #2
    iPhone? More like MyPhone bootleg's Avatar
    Join Date
    Aug 2007
    Location
    california
    Posts
    227
    Thanks
    13
    Thanked 17 Times in 13 Posts

    no they should hire him and give him a bonus.

  3. #3
    My iPhone is a Part of Me Mr. Russian's Avatar
    Join Date
    Feb 2011
    Location
    Sacramento, California
    Posts
    511
    Thanks
    32
    Thanked 49 Times in 44 Posts

    i think they should have him find bugs and different holes so they could fix them

  4. #4
    What's Jailbreak? Amillio's Avatar
    Join Date
    Aug 2008
    Posts
    25
    Thanks
    0
    Thanked 1 Time in 1 Post
    Well I don't know too much about this guy but one thing he should be helping the the jailbreak community with something like that. Cydia could have been installed using code like that the dev teams should've taken advantage of that. He shouldn't have been banned he should have been hired he publicly showed that there are flaws that need fixed. He either needs to work for apple or one of the dev teams.

  5. #5
    iPhoneaholic bdwayneh's Avatar
    Join Date
    Nov 2007
    Location
    Atlanta, GA
    Posts
    422
    Thanks
    34
    Thanked 34 Times in 24 Posts

    It would be really cool if someone could do something like this a allow it to jailbreak the iPhone. First iPhone jail broke by using apple's app store. I am sure its probably out of the scope of this though

  6. #6
    What's Jailbreak?
    Join Date
    Nov 2011
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    I think it was a TERRIBLE move banning him. They absolutely should be encouraging him, since it seems that he is not malicious but instead just testing Apple and pushing them to be superior... And, as "bootleg" said, they should definitely considering contracting him to their security team! In fact, didn't they just lose a VP of Global Security!? Seems like a perfect solution!

  7. #7
    What's Jailbreak?
    Join Date
    Oct 2007
    Posts
    17
    Thanks
    0
    Thanked 7 Times in 2 Posts

    and this is exactly what you get when you have a closed os... gez this wouldn't happen if the phone was runing a little snithc program.....yawn.....apple will get burnt and hopefully release it's grip.....oh wait it's called jailbreaking, yawn.

  8. #8
    iPhone? More like MyPhone spooneditr's Avatar
    Join Date
    Dec 2008
    Posts
    274
    Thanks
    8
    Thanked 18 Times in 10 Posts

    Quote Originally Posted by prsbirds View Post
    I think it was a TERRIBLE move banning him. They absolutely should be encouraging him, since it seems that he is not malicious but instead just testing Apple and pushing them to be superior... And, as "bootleg" said, they should definitely considering contracting him to their security team! In fact, didn't they just lose a VP of Global Security!? Seems like a perfect solution!
    I agree!! Hire this guy!


    Your mom has "spirit" but I used my "pwnage tool" on her all night long and "ultrasn0wed" all over her. haha

  9. #9
    iPhone? More like MyPhone DaLsim's Avatar
    Join Date
    Jun 2011
    Posts
    218
    Thanks
    0
    Thanked 6 Times in 5 Posts

    yea, apple too stupid? They should have hire in to check all malware? Now other big player can hire him to put worms in apple, core...

  10. #10
    Peanut Brain confucious's Avatar
    Join Date
    Oct 2008
    Location
    Woking
    Posts
    10,290
    Thanks
    139
    Thanked 917 Times in 832 Posts

    Quote Originally Posted by spooneditr View Post
    I agree!! Hire this guy!
    I really, really hope they don't. ......

    I don't actually follow him on twitter but lots of those I do follow, follow him and I have learned a lot from their retweets of him.
    Last edited by confucious; 11-08-2011 at 01:35 AM.
    He who asks a question looks foolish for 5 minutes. He who doesn't ask a question remains foolish forever.

  11. #11
    iPhoneaholic s0ulp1xel's Avatar
    Join Date
    Apr 2011
    Location
    HiltonHeadIsland, SC
    Posts
    462
    Thanks
    13
    Thanked 18 Times in 11 Posts

    Cool. But scary.
    HIT THANKS BUTTON TO SHOW YOUR APPRECIATION

  12. #12
    iPhone? More like MyPhone RoloDiva13's Avatar
    Join Date
    Apr 2011
    Location
    Orlando, Florida, United States
    Posts
    112
    Thanks
    1
    Thanked 1 Time in 1 Post
    Confucious, Care to shed some light on that? I was thinking the same as most of the rest of this thread (that Apple should, in fact, be hiring this guy, not firing him from the Dev Program), but if he's not as 'helpful' as he appears, that bears some consideration.

    Confucious, Care to shed some light on that? I was thinking the same as most of the rest of this thread (that Apple should, in fact, be hiring this guy, not firing him from the Dev Program), but if he's not as 'helpful' as he appears, that bears some consideration.

    Quote Originally Posted by s0ulp1xel View Post
    Cool. But scary.
    Agreed...Mostly scary, though Especially after viewing the video demonstration.

    Confucious, Care to shed some light on that? I was thinking the same as most of the rest of this thread (that Apple should, in fact, be hiring this guy, not firing him from the Dev Program), but if he's not as 'helpful' as he appears, that bears some consideration.

    Quote Originally Posted by s0ulp1xel View Post
    Cool. But scary.
    Agreed...Mostly scary, though Especially after viewing the video demonstration.
    Last edited by RoloDiva13; 11-08-2011 at 05:15 AM.

  13. #13
    iPhone? More like MyPhone
    Join Date
    Oct 2007
    Posts
    244
    Thanks
    234
    Thanked 19 Times in 16 Posts

    How typical of apple (and all large corporations): give huge bonuses to administrators and punish those that actually find something useful.

  14. #14
    What's Jailbreak?
    Join Date
    Dec 2010
    Posts
    17
    Thanks
    0
    Thanked 0 Times in 0 Posts

    So they ban him but hire 2 guys that allowed so many of us to jailbreak our phones? That makes no sense at all. They need to be kissing his *** & giving him a job. He would be a major asset to them.

  15. #15
    Banned
    Join Date
    May 2008
    Location
    In the shadows
    Posts
    798
    Thanks
    120
    Thanked 74 Times in 47 Posts

    Thats why I call them crApple for their crap ways of doing things.Instead of hiring him to stop the exploits they ban him. Stupid. Now he just tells everyone the exploits and crApple are now bombarded by apps that are good but mallware and they dont know which is which. Their stupid move not his.He probably did the right thing by telling them what he did and not actually doing anything with his app but pointing out the huge hole in their system. I would love to know this exploit. I would put it in my apps. Not to attack the users but to get back at crApple for their stupid devices and lack of features and for stealing hackers work with no credit to them.How many features of IOS were started from a cydia app and how much money did those original devs get from crApple? $0. crApple deserve a few really bad attacks.

  16. The Following User Says Thank You to NakedFaerie For This Useful Post:

    cpotoso (11-08-2011)

  17. #16
    iPhoneaholic jasvncnt10's Avatar
    Join Date
    Mar 2008
    Location
    NEW JERSEY
    Posts
    494
    Thanks
    487
    Thanked 91 Times in 75 Posts

    The man is an F'n genious

  18. The Following User Says Thank You to jasvncnt10 For This Useful Post:

    cpotoso (11-08-2011)

  19. #17
    Livin the iPhone Life JedixJarf's Avatar
    Join Date
    Jun 2007
    Posts
    1,917
    Thanks
    30
    Thanked 129 Times in 102 Posts

    Quote Originally Posted by bootleg View Post
    no they should hire him and give him a bonus.
    This.

  20. #18
    Peanut Brain confucious's Avatar
    Join Date
    Oct 2008
    Location
    Woking
    Posts
    10,290
    Thanks
    139
    Thanked 917 Times in 832 Posts

    Quote Originally Posted by Kevin8677 View Post
    So they ban him but hire 2 guys that allowed so many of us to jailbreak our phones?
    2? Comes has an internship with them, who's the other one?
    He who asks a question looks foolish for 5 minutes. He who doesn't ask a question remains foolish forever.

  21. #19
    Green Apple czarcasm's Avatar
    Join Date
    Oct 2011
    Location
    Michigan
    Posts
    32
    Thanks
    0
    Thanked 1 Time in 1 Post
    if he wouldnt use this exploit for benefitting himself(which he didnt) apple should be hiring this guy

  22. #20
    Peanut Brain confucious's Avatar
    Join Date
    Oct 2008
    Location
    Woking
    Posts
    10,290
    Thanks
    139
    Thanked 917 Times in 832 Posts

    What makes everyone think he would want to be employed by Apple?
    He who asks a question looks foolish for 5 minutes. He who doesn't ask a question remains foolish forever.

Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts