Hackers have raked in a cool $50,000 from a tech contest after finding a flaw that allowed them to retrieve a photo that was supposed to have been deleted from an iPhone X.
Richard Zhi and Amat Cama banded together as Fluoroacetate to plan an attack on an Apple device running the 12.1 iOS, the company's newest mobile software. The hack enabled the duo to exploit weaknesses in the Safari browser, ultimately permitting the retrieval of an image that should have been deleted.
According to Forbes, Apple was told of the vulnerability, as per the rules of the Mobile Pwn2Own contest that took place in Tokyo, Japan. And, apparently, it was possible for the hack to pull out more media and information than just a photo.
Zhu and Cama were able to find the deleted photo - that remained on the disk after being deleted - with their hack because it was the first file available.
Users of computers and mobile devices should know that deleting a file isn't as simple as clicking the delete option. And with iPhones, deleted files stay in the trash for 30 days before being permanently removed.
It's also possible to access the Recently Deleted file to remove it manually and, as iPhone and Mac forensic specialist Vladimir Katalov has confirmed, there's "no chance for recovery" after that. But Zhu and Cama proved it was still possible to hack a mobile Apple device and pull up files from the Recently Deleted storage.
As things stand, the vulnerability remains, as Apple has yet to a patch.
Confirmed! The @fluoroacetate duo combined a bug in JIT with an Out-Of-Bounds Access to exfiltrate data from the iPhone. In the demo, they grabbed a previously deleted photo. In doing so, they earn themselves $50K and 8 Master of Pwn points. #P2OTokyo— Zero Day Initiative (@thezdi) November 14, 2018
Android users are in the same boat, with the team also demonstrating they could get into Google devices such as the Samsung Galaxy S9 and the Xiaomi Mi 6 during the competition. Another team, F-Secure's MWR Labs, also exposed other flaws on the same devices.
Given that Apple has been informed, they should make a patch available quite soon. However, they had not responded to a request for a comment from Forbes at the time of writing.