After a serious mail vulnerability, a new zero-day vulnerability has appeared in iOS and iPadOS. Apple is again struggling with a zero-day bug. This affects the latest iOS version 13.4.1. The bug was found by a Swiss hacker with the alias «Siguza».
As «Siguza» explains in a long text on GitHub, users’ personal data can be hacked due to a bug in reading XML files. It allows hackers to bypass certain security checks before publication on the App Store. This enables applications to have unlimited privileges.
iPhone vulnerability: Malicious apps could already be in the app store.
RIP my very first 0day and absolute best sandbox escape ever:
— Siguza (@s1guza) April 29, 2020
This enables cybercriminals to carry out every conceivable type of attack. “Siguza” is also not sure whether the app store review would have identified malicious apps.
However, as «Siguza» writes, the bug will be eliminated with the upcoming iOS 13.5 update. He also added that:
As far as first 0days go, I couldn’t have wished for a better one. This single bug has assisted me in dozens of research projects, was used thousands of times every year, and has probably saved me just as many hours. And the exploit for it is in all likelihood the most reliable, clean and elegant one I’ll ever write in my entire life. And it even fits in a tweet!!
Well over 3 years since discovery is not half bad for such a bug, but I sure would’ve loved to keep it another decade or two, and I know I’ll dearly miss it in the time to come.
We can also ask ourselves how a bug like that could ever exist. Why there are 4 different plist parsers on iOS. Why we are still using XML even. But I figure those are more philosophical than technical in nature. And while this entire story shows that it might be a good idea to periodically ask ourselves whether the inaccuracies of our mental models are acceptable, or something should be documented and communicated more thoroughly, I really can’t accuse Apple of much here. Bugs like these are probably among the hardest to spot, and I have truly no idea how the hell I was able to find it while so many others didn’t.
At the time of writing, this bug is still present on the latest non-beta version of iOS. The whole project is available on GitHub.