New MacBook Pros are here! Get the lowest prices anywhere: Apple Price Guides updated Sept 2nd (exclusive coupons)
 


Thursday, March 25, 2010, 11:25 am PT (02:25 pm ET)

Apple's iPhone, Safari exploited at annual hacking contest

Virtually every major browser and operating system were targets at this week's "Pwn2Own" hacking contest, with Apple Safari, Mozilla Firefox, and Internet Explorer 8 vulnerabilities exploited, along with flaws in the iPhone OS.

On the first day of the competition based in Vancouver, British Columbia, Canada, researchers found a way to take advantage of Apple's Safari browser in Mac OS X 10.6 Snow Leopard, its latest operating system, according to CNet.

Unsurprisingly, Charlie Miller, principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine. He's the same researcher who cracked Safari in Mac OS X last year, taking home the $5,000 prize. He also hacked a MacBook Air in 2008 at the competition.

Miller has also repeatedly said that he believes Macs are a safer alternative to Windows PCs for average users. He cited the lack of malware on the Mac platform as the principal reason for his recommendation.

Last year Miller also discovered an SMS hack in the iPhone that Apple quickly patched after it was made public. But researchers at this year's Pwn2Own found yet another SMS hack to take home a $15,000 prize.

Ralf-Phillip Weinmann, from the University of Luxembourg, and Vincenzo Iozzo, from German company gained access to an iPhone that was not "jailbroken," a procedure that allows users to run unauthorized code and unlock the handset for use on unapproved carriers.

By making a user visit a malicious Web site, the exploit allowed the researchers to access the phone's entire database of text messages, including deleted ones. The two wrote the hack in about two weeks, and the data was received in the competition in under 20 seconds.

The two said the hack could be modified to allow access to more data, such as contacts and photos. The transfer takes place without the victim ever knowing they have been hacked.

By accepting prizes at the Pwn2Own competition, put on by TippingPoint, the exploited methods are revealed only to the affected company so that they can patch the exploits.

Also hacked in this year's competition was Microsoft's Internet Explorer 8 browser. Peter Vreugdenhill, an independent security researcher from the Netherlands, took home a $10,000 prize by taking advantage of two vulnerabilities for a four-part hack that compromised the user's system.

Another person who went solely by Nils, the head of research MWR InfoSecurity in the U.K., discovered an exploit in Firefox in the 64-bit version of Windows 7. He took home a $10,000 prize.