Author: Heather Goudey, senior security content developer, HP
We have our first winner! In the mobile browser category, Keen Team (from Keen Cloud Tech) demonstrated two iPhone exploits via Safari. The team of eight from China didn’t compromise the sandbox so they will be splitting the $27,500 as compensation.
In a world where social media is thoughtlessly ubiquitous, the Keen Team, with remarkable ease, demonstrated two exploits that were a wake-up call to those who share their personal information on mobile devices.
The team demonstrated two exploits against Safari on an iPhone 5 with the following results:
- Captured Facebook credentials on iOS version 7.0.3
- Stole a photo on iOS version 6.1.4
Note that these phones are NOT jail-broken.
The first was an application exploit. Via Safari, the team were able to steal a Facebook cookie that was then exfiltrated and used to compromise the targeted Facebook account from another machine. In order for the exploit to work, a user would need to click on a link in an email, an SMS, or a web page, so some social engineering would be required to prompt a user to take an action before their credentials could be compromised.
Regardless, this was a lesson to be careful with what personal details you share online and to think twice before you click.
The second was another Safari exploit and it took a little longer due to technical difficulties (we forgot to plug their laptop in). In this case the vulnerability in Safari was exploitable due to issues with the permissions model. Keen Team was able to access photos stored on the device. Again, in order to be successful the affected user would need to click on a link.
Both exploit demonstrations took no more than 5 minutes to achieve.
To the best of our knowledge, these vulnerabilities do not affect Blink (a rendering engine for the Chromium project).
The vulnerabilities have been disclosed to Apple and Google, and they’ll be working to research and remediate these issues as applicable. (The vulnerability was disclosed to Google in order to verify that Blink, and thus Chrome, was not affected).
Keen Team was represented by Daniel Wang, James Fang and Liang Chen. This team also includes Wu Shi, a former external ZDI platinum researcher, renowned for spotting a broad range of vulnerabilities on multiple platforms. Keen Team are the first Chinese team to win at Pwn2Own.
Up next, Takeshi Terada and Tomonori Shiomi, of Mitsui Bussan Secure Directions, Inc. are attempting exploits against several applications installed by default on the Samsung Galaxy S4.
A reminder of the Pwn2Own rules and regulations can be found here.