Latest in Gear

Image credit:

iPhone X bug lets hackers snag deleted photos

Researchers discovered the exploit at a hacker event this week.
Kris Holt, @krisholt
November 15, 2018
Share
Tweet
Share

Sponsored Links

Chris Velazco/Engadget

Whether it's because they're unflattering, inappropriate or just plain terrible, we've all deleted photos for one reason or another. But the drunken 3AM selfies that you thought you scrubbed from your phone might not be totally gone, and two researchers have found a vulnerability in iPhone X that could let hackers access supposedly-deleted photos and files.

Richard Zhu and Amat Cama discovered the issue at a contest for hackers to find iOS and Android bugs, and revealed it in a demo this week. They connected to the device (which was running iOS 12.1) through a malicious Wi-Fi access point and exploited a vulnerability in a just-in-time (JIT) compiler, which helps iPhones run faster by processing code while a program is running, rather than in advance.

They were then able to grab a photo from the Recently Deleted album in the Photos app (so the image wasn't truly deleted). The album retains photos you deleted for 30 days, just in case you excised them by accident or change your mind, before permanently scrubbing them. The exploit could be used to access other data that the JIT compiler processes. The photo was just the first file that Zhu and Cama found.

The pair earned a $50,000 bounty at Mobile Pwn2Own for discovering the problem (it's not the first time hackers at the event have grabbed data from an iPhone via a Safari bug). As per the rules of the contest, Apple has been informed of the bug, according to Forbes, but has yet to patch it.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Presenting the Best of CES 2021 winners!

Presenting the Best of CES 2021 winners!

View
Bloomberg: 'Cyberpunk 2077' full development didn't start until 2016

Bloomberg: 'Cyberpunk 2077' full development didn't start until 2016

View
The Morning After: Samsung revealed the Galaxy S21 series

The Morning After: Samsung revealed the Galaxy S21 series

View
Canon made a site that lets you 'take photos' from a real satellite

Canon made a site that lets you 'take photos' from a real satellite

View
ICYMI: More gadget highlights from CES 2021

ICYMI: More gadget highlights from CES 2021

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr