The Keen Team, a group of Chinese researchers, exploited a critical WebKit bug in Safari allowing them to view and take private data, using Safari on an iPhone. Just over one month after the vulnerability was found, Apple has shipped an update to patch the bug.
The patch, which fixes nine security flaws, is available for Safari 6.1.1 and Safari 7.0.1. The most critical flaw allow hackers to launch drive-by-downloads using rigged websites. A drive-by-download can be a download which a person authorized, but the full consequences were not visible to the user. It can also be a download that happens without a person’s knowledge, which can install spyware, a virus, malware, and many other things that can and will harm your computer.
The Keen Team demonstrated two iPhone exploits: One which captures your Facebook credentials (iOS 7.0.3) and the other which takes your photos (iOS 6.1.4). They delivered the exploits as a part of the Pwn2Own hacking challenge which took place at the PacSecWest security conference in Japan.
Pwn2Own sponsor, HP, explains the exploit:
The first was an application exploit. Via Safari, the team were able to steal a Facebook cookie that was then exfiltrated and used to compromise the targeted Facebook account from another machine. In order for the exploit to work, a user would need to click on a link in an email, an SMS, or a web page, so some social engineering would be required to prompt a user to take an action before their credentials could be compromised.
Apple confirmed that by visiting a maliciously crafted website can cause unexpected pieces of code to run, or sudden termination of applications.
The update also patches an issue that allowed websites to see your credentials via autofill. A statement from Apple said:
“Safari may have autofilled user names and passwords into a subframe from a different domain than the main frame. This issue was addressed through improved origin tracking.“