

IPhone hacked via Mobile Safari and SMS database hijacked (at Pwn2Own 2010) - kvs
http://blogs.zdnet.com/security/?p=5836

======
tptacek
It's news, and it's noteworthy, but I think the IE8 flaw Vreugdenhill used is
a bigger deal:

[http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-Internet...](http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf)

------
kvs
Note that this is not a jail-broken iPhone. This is a regular iPhone with
latest OS with code signing.

~~~
DougBTX
I enjoy the idea of return oriented programming, piecing together an exploit
from your host app's binary.

Worth noting that they didn't break out of the sandbox, an app downloaded from
the App Store could get access to the same data they did.

~~~
tptacek
Did they ROP the iPhone, or was is a straight-up ret2libc? Ret2libc is an
ancient technique.

~~~
DougBTX
More details here <http://blog.zynamics.com/> tomorrow - doesn't sound like it
is straight up, depends what they mean by "chained".

~~~
tptacek
Ok, it sounds like Halvar is just rejecting the term ROP, and you're right,
that's what it is.

------
JunkDNA
I almost skipped this article assuming it was one of these "hacks that's not a
hack" kind of things. This is a pretty major security issue, especially since
the hack is claimed to potentially expose email as well. The Exchange server
integration means some pretty sophisticated phishing could be done to get
access to confidential info. Hope Apple patches this flaw fast.

------
jrockway
But hey, at least Apple saved a few bounds checks before memory writes!

------
memoryfault
Not so much hijacked as it was downloaded to the server...

