August 2nd, 2010

Security hole in Mobile Safari PDF support a bigger story than jailbreakme

Tom Boutell
Chief Software Architect
The buzz today is that a new site, jailbreakme, will jailbreak your iPhone without the need to install any software on your host computer.

What's bizarre about this is that everyone thinks it is cool and no one is pointing out that this site must be exploiting a truck-sized security hole in Mobile Safari.

Understand this: if jailbreakme can take over your phone, then any website run by a malicious hacker with skillz can take over your phone and run executables that do anything it pleases. This is very bad and Apple needs to issue iOS 4.0.2 today.

Of course, when they do, people will accuse them of being meanies, completely missing the point that exploitable browser bugs are extremely dangerous and are not always used to do cool stuff by nice white-hat hackers.

As one friend tweeted back, "not from what I understand. It just dls a package that that then, as allowed, unpacks and runs. It's basically a web app."

No, it is not a web app! A web app is something that stays in your browser and goes away when you close the page. Taking over your entire phone's operating system is not how a web app behaves. It is the reason why we patiently tell all of our friends not to install .exe files people email to them.

Alas, now iPhone users are so trusting that if Mobile Safari allows something to happen, they assume it must be intentional.

Just because this particular site delivers what it says it will deliver and even asks nicely doesn't mean that other sites exploiting the same hack must be innocent or will ask at all before installing malware on your phone.

But what is the security hole? Apparently it's PDF-related. I ran the source code of www.jailbreakme.com through a couple of prettyprinters and tracked down this snippet determining what page it loads in an iframe:

("/_/" + model + "_" + firmware + ".pdf")

Apparently Apple's PDF viewer on the iPhone has a security hole that allows native code to be loaded and run. This is not awesome. Raising the profile of an exploitable security hole before Apple has a chance to fix it is not awesome either as it will lead to innocent people getting their phones hacked.

This is a Big Bug, and hopefully Apple will patch it before the week is out.
Tom Boutell
Chief Software Architect

Check out another article
July 30th, 2010
Symfony Almost Live
June 10th, 2010
Symfony 2 hub-bub