back to article Latest iPhone hacked to blab all your secrets

Dutch hackers have exploited a WebKit bug in mobile web browser Safari to rinse an iPhone 4S of its photos, address book contacts and its browser history. The flaw exists in Apple's iOS 5.1.1 and the latest developer preview of iOS 6, the first public build of which was released last night to fanbois. It should thus affect …

COMMENTS

This topic is closed for new posts.
  1. Platelet
    Gimp

    There is no vulnerability

    They were simply holding it wrong

    1. GitMeMyShootinIrons
      Meh

      Re: There is no vulnerability

      Actually, following your logic, holding it wrong would actually close the vulnerability on an iPhone 4 (in a sledgehammer/walnut style). Of course, that issue was fixed on the 4S and 5, so these would remain vulnerable...

      1. adw

        Re: There is no vulnerability

        Party pooper. Or didn't you get the joke?

  2. lemmac

    Eh?

    "Email and SMS were not not available because they were sealed off from the hijacked Safari process and separately encrypted."

    +

    "The CEO of a company should never be doing e-mail or anything of value on an iPhone"

    /

    " There are a lot of people taking photos on their phones that they shouldn't be taking."

    = WTF???

    1. Rob Carriere

      Re: Eh?

      Today somebody hacks the browser and cannot get to the email (but could get to the photos). Maybe tomorrow somebody else hacks the email and cannot get to your bookmarks (but probably still can get your photos). The warning is in general, not as a defense against the specific hack.

      Whether the warning is one you should heed, would depend on a proper risk-analysis. "Oh my God, there's an exploit, abandon all hope!" is nearly as silly as "My phone is my castle."

      1. Anonymous Coward
        Anonymous Coward

        Re: Eh?

        My thoughts exactly - the author evidently just took a few completely unrelated sentences and stuck them on the end of the article. It doesn't say anything coherent and there is no explanation.

        Rubbish.

        1. Ted Treen
          Paris Hilton

          Re: Eh?

          "...the author evidently just took a few completely unrelated sentences and stuck them on the end of the article. It doesn't say anything coherent and there is no explanation..."

          Note the by-line.

          Par for the course.

          Adolescent 'look-at-me-I'm-ever-so-clever' scribbling masquerading as grown-up journalism.

  3. mickey mouse the fith

    Wonder if this could be used for jailbreaking the new ios?

    As above.

  4. Tom 35

    AC trash talk

    Android phones. At least you can install Firefox or Opera (not the shell over webkit iOS one).

    It's NEWS because Apple is reported to be the most secure.

    1. Spearchucker Jones

      Re: AC trash talk

      What odds that Firefox and Opera don't have zero-day vulnerabilities? Before this one was discovered in Webkit every one said much the same about Webkit.

    2. diodesign (Written by Reg staff) Silver badge

      Re: AC trash talk

      If you're referring to the deleted comment, it was removed for the anonymous abuse. Let's stick to technical discussions.

      One thing we forgot to add is that the S III is set to get Android 4.1 Jelly Bean, which has had a lot of NFC fixes and is not the 4.0.4 compromised by the team . Anyway, both hacks are significant in terms of security and skill, and a second story is in the works.

      C.

    3. imaginarynumber

      Re: AC trash talk

      Yes but only by apple and the uniformed members of the press

  5. lemmac

    email

    so email couldn't be accessed through the exploit but then there's an express warning not to use email...

    1. Martin Huizing

      Re: email

      Some people use web-mail...

    2. Blip

      Re: email

      The express warning was for specifically CEOs, which implies to me that you shouldn't rely on email being secure for the sort of documents a CEO would handle.

    3. Jonathan Richards 1 Silver badge
      Thumb Up

      Re: email

      But email addresses reside in the contacts list which was available to the exploit, if I read TFA correctly. Just the addresses of the people that CEOs communicate with in the course of business could facilitate a spear phishing attack, no?

      The advice is good, if a bit elliptical: keep your confidential work communications safely on a confidential work communications network.

  6. Anonymous Coward
    Anonymous Coward

    Blackberry

    They'll be lucky to exploit much on my BB's browser - fucking useless thing crashes on any sites much more complicated that BBC News... :-(

  7. nigel 15

    developer preview of iOS6?

    The flaw exists in Apple's iOS 5.1.1 and the latest developer preview of iOS 6, which was made public last night. It should thus affect iPhones...

    i take it that is not meant to imply that the latest developer preview was released last night...?

    1. diodesign (Written by Reg staff) Silver badge

      Re: nigel 15

      Yers, very good. But before you reach for your pedantry badge, consider that the latest developer preview - the gold master - is what will effectively ship to fanbois anyway. Huzzah!

      C.

      1. nigel 15

        Re: nigel 15

        It's not pedantry. the phrasing is ambiguous at best.

        because you know what you meant to write it's difficult to see how it reads to other people. it was constructive criticism. do with it what you will.

  8. Anonymous Coward
    Anonymous Coward

    "Email and SMS were not not available"

    So, Email and SMS were available, then?

  9. redniels
    Gimp

    IOS, bleegh but morre serious

    Steam also uses Webkit!

    So now, the unholy trinity on a (windows) PC; IE, Flash & PDF is made into a Quadrility (if that even is correct english) IE, Flash, PDF .........& Steam

    all your games are belong to us... and then some..

    are you paying attention, Gabe?

    1. Silverburn

      Re: IOS, bleegh but morre serious

      No he's not- he's too busy putting the finishing touches on HL3...

      Or at least I hope he is!

  10. uhuznaa

    More about the Galaxy S3 exploit

    "MWR showed an exploit against a previously undiscovered vulnerability on a Samsung Galaxy S3 phone running Android 4.0.4. Through NFC it was possible to upload a malicious file to the device, which allowed us to gain code execution on the device and subsequently get full control over the device using a second vulnerability for privilege escalation."

    At least Apple was wise enough to leave NFC out of the iPhone 5...

    Seriously, paying with NFC when the hardware you rub your phone against can just take it over then seems to be a very bad idea.

    They're all fumbling around, all of them.

  11. JaitcH
    FAIL

    Aoole software doen't have bugs

    These are unannounced, undocumented features - in this case for the US NSA so they can tap all iPhones without difficulty. Their motto is: Your secrets are ours.

    1. Aaron Em
      Black Helicopters

      What ignorant nonsense

      Why bother infiltrating end-user equipment when tapping OC-192s offers so much better value for your time and money?

  12. Anonymous Coward
    Anonymous Coward

    Not just iOS and Andorid use webkit

    Webkit is a very widely used web engine, and turns up in all sorts of places. Of course, they'd all need their own exploit writing for them independently, since this involves constructing executable code which talks to the OS, assuming the exploit is in all versions of it.

    Mind you, I'm yet to be convinced that anything more complex than a microwave oven connected to the internet can't be exploited if someone has a reason to spend the time to hack you.

    1. Aaron Em

      Re: Not just iOS and Andorid use webkit

      Stuxnet, for one, would seem a point in favor of this suspicion.

This topic is closed for new posts.