During this year’s Mobile Pwn2Own hacking competition, two Dutch security researchers managed to access user data saved on an iPhone 4S. According to a report from the IDG News Service, calling up a manipulated web site with iOS 5.1.1 was all that was needed to introduce malicious code that then sent any pictures, videos, address book data and browsing history saved on the device to the attackers’ server.
The report says that the security vulnerability that was used for the attack, which is in the WebKit browser engine used by the mobile version of Safari, can also be exploited for other iOS devices; the security researchers say that this has not yet been fixed as of the golden master version (Build 10A403) of iOS 6, which Apple released Wednesday evening. The two researchers told ZDNet that they developed the exploit in their free time over the course of three weeks and were awarded with a $30,000 prize as part of the Pwn2Own contest.
Details of the vulnerability were apparently only shared with the competition organiser, the TippingPoint’s Zero Day Initiative, which plans to pass the exploit on to Apple.