Richard Zhu and Amat Cama discovered the issue at a contest for hackers to find iOS and Android bugs, and revealed it in a demo this week. They connected to the device (which was running iOS 12.1) through a malicious Wi-Fi access point and exploited a vulnerability in a just-in-time (JIT) compiler, which helps iPhones run faster by processing code while a program is running, rather than in advance.
They were then able to grab a photo from the Recently Deleted album in the Photos app (so the image wasn't truly deleted). The album retains photos you deleted for 30 days, just in case you excised them by accident or change your mind, before permanently scrubbing them. The exploit could be used to access other data that the JIT compiler processes. The photo was just the first file that Zhu and Cama found.
The pair earned a $50,000 bounty at Mobile Pwn2Own for discovering the problem (it's not the first time hackers at the event have grabbed data from an iPhone via a Safari bug). As per the rules of the contest, Apple has been informed of the bug, according to Forbes, but has yet to patch it.