Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Safari vulnerability lets hackers swipe recently deleted photos from iPhone X

Amat Cama (left) and Richard Zhu (middle) demonstrate an iPhone X attack at Mobile Pwn2Own 2018.

Last updated

White-hat hackers Richard Zhu and Amat Cama at the Mobile Pwn2Own contest on Wednesday leveraged a previously unknown exploit that allowed the pair to extract a supposedly deleted photo from an iPhone X running the latest iOS 12.1.

According to show sponsor Trend Micro's Zero Day Initiative, Zhu and Cama successfully demonstrated an attack involving Apple's Safari web browser to earn $50,000 on the Pwn2Own show floor in Tokyo.

The duo, operating as team Fluoroacetate, connected to the target iPhone X via a malicious Wi-Fi access point, then combined an unpatched just-in-time (JIS) compiler bug with an Out-Of-Bounds Access to grab a file from the phone's disk. A day earlier, Fluoroacetate plied a similar method for a sandbox escape and escalation on iPhone X over Wi-Fi.

As noted by Forbes, the potent attack can theoretically grab any number of files from a target device, but the photo happened to be the first file the pair came across in the exercise.

A closer look at the hack reveals the stolen photo was merely marked for deletion, meaning it was still on disk and showed up in Photo's "Recently Deleted" folder. Apple's iOS maintains a Recently Deleted album as a safeguard against accidental image deletion.

When a user "trashes" a photo, it remains on disk for 30 days, presenting an opportunity to recover the file. Images can be permanently destroyed by manually deleting them from the Recently Deleted album.

As per Pwn2Own's rules, Apple has been informed of the exploit and is presumably working on a fix that should be delivered in a future iOS update.

Apple's iPhone X was the target of multiple attempts at this year's Pwn2Own, including an unsuccessful browser attack from MWR Labs and a failed baseband exploit from Zhu and Cama.

Fluoroacetate racked up a total of $215,000 in prizes to win Mobile Pwn2Own 2018. Zhu is a veteran iOS hacker with a record of successful attacks, including the bypass of iPhone 7 security protocols using two Safari bugs at last year's Mobile Pwn2Own event.

Started in 2007, Pwn2Own is an annual hacking contest that offers cash and prizes to security researchers who find, share and demonstrate zero-day vulnerabilities impacting a range of modern software and hardware. Vendors are provided information about the exploits, giving them a chance to patch the bugs, hopefully before they are leveraged for nefarious means.



16 Comments

movingincircles 15 Years · 27 comments

title makes the issue much worse than it seems. annoyed with journalism these days. yeah...it's technically true, but it's also misleading.

seanismorris 8 Years · 1624 comments

The fact that the file was a “deleted photo” isn’t really relevant.

Congrats to the white hat for finding the vulnerability and getting a payday.

Browsers are the easiest attack vectors besides social engineering attacks, always use a VPN.

Google has a VPN service, I’m surprised Apple hasn’t offered one... probably doesn’t want to step on government toes.

Google is doing it to keep the ad revenue flowing, so there’s that.  Personally, I’d never use Googles...

sflocal 16 Years · 6138 comments

And while there are articles about ONE iOS flaw which is probably patched as I write, Android on the other hand is so ridiculously insecure, no one bothers to write anything about it.

Soli 9 Years · 9981 comments

The fact that the file was a “deleted photo” isn’t really relevant.

Deleted or saved, doesn't make a difference. It's not like we're talking about multiple nature photos where the worst ones were deleted. There could be nude photos, photos of  a DL or other picture that has personal and private information on it. I've certainly had to do that many times over the years, and as soon as I'm done supplying the proof I delete it… and I always assumed it was actually deleted since I've never seen a restore button for deleted photos on iOS.

Google has a VPN service, I’m surprised Apple hasn’t offered one... probably doesn’t want to step on government toes.

I pay for a VPN service which I use on Public WiFi, but CloudFlare, which introduced their fast, secure, no-tracking DNS service about a year ago now has an iOS and Android app. It's not a VPN for protecting all your data traffic, but on iOS (at least) it uses the VPN service for their DNS.

  • https://1.1.1.1

Despite some potentially confusing language, you can use other VPN services, you just have to switch between them as you normally would once you get to an unsecured network.

PS: My only qualm with how Apple treats all VPN services is they don't intelligently keep all their Apple-based traffic (or rather all non-VPN and local router splash screen) from being paused automatically until your VPN service connects. They don't even need to add this as an actual feature, but create the APIs so you can control this data flow from within the VPN apps themselves.

sflocal said:
And while there are articles about ONE iOS flaw which is probably patched as I write, Android on the other hand is so ridiculously insecure, no one bothers to write anything about it.

It's kind of like breaking into and hot wiring a car. You got props if you can crack all the advanced security in a 2019 Bugatti Chiron in under 10 minutes, but no one cares that you can hotwire a 1984 Toyota Tercel in less than 60 seconds.

markbyrn 14 Years · 662 comments

According to the article, the victim would need to connect to a “malicious Wi-Fi access point” in order for this rarefied exploit to be worked.   Does that mean that the attacker has to setup a WiFi access point and hope that the victim(s) connects or can an attacker make use of any public WiFi access point to work the attack?  If it’s the former as implied, I don’t we need to get too lathered about it.  The problem with an article like is it fails to provide a clear understanding of the exploit or translate the risk; it's just a headline piece to get people worked up.