Apple iPhone users take note: A vulnerability that might affect tens of millions of users leaves devices open to dangerous attacks, China-based researchers have warned. The flaw, dubbed ZipperDown, resides in 15,978 iOS apps that have been downloaded 100 million times, according to famous iPhone jailbreakers Pangu Team.
Little is known about the bug right now, other than it “is a very typical programming error,” Team Pangu wrote on the ZipperDown website. The worst-case scenario? “It depends on the affected app and its privileges. In general, attackers could overwrite the affected app’s data or even gain code execution in the context of the affected app. Note that the sandbox on both iOS and Android can effectively limit ZipperDown's consequence,” Team Pangu added, noting that an unknown number of apps on Google's operating system were also affected.
To translate that, it means the attacks wouldn't be catastrophic, as Apple and Google limit what data on the smartphone is accessible to a hacker who exploits a single app. Such hacks should be contained to just the information controlled by that application.
In a video, the Pangu crew showed how they were able to use the ZipperDown flaw to hack Weibo.
There is reason for some concern, despite the limitations of ZipperDown. Will Strafach, another big name in the jailbreaking scene and founder of app security firm Verify.ly, has been granted access to detailed information about ZipperDown and believes it’s more of “an unexpected way in, rather than a complete exploit” for iPhones.
Strafach, who agreed not to share more information before Pangu did, explained that the apps could be abused by a hacker sitting on the same network was as a target, such as an attacker who has access to ISP infrastructure or is on the same Wi-Fi network. This is more of a concern for Asian and Middle Eastern targets, Strafach said, given those regions’ surveillance regimes that have close control over internet providers.
“But if you are on a public Wi-Fi network or even a bugged private network, then it is a risk for that as well by manipulating an ongoing download with content crafted in a specific manner,” Strafach said.
Neither Apple nor Pangu had responded to requests for comment at the time of publication.
Strafach had some good news, though: “An app update can fix it pretty easily.” So, if you're an iPhone user, keep those applications up to date to avoid any complications should real-world hackers get hold of the exploits.
