The Zero Day Initiative has run through the latest edition of its Mobile Pwn2Own competition for white hat hackers. A team of two named Fluoroacetate has cleaned up with several awards for exploit discoveries and have taken tens of thousands of dollars in cash rewards.
One of those discoveries is a doozy for those who delete loads of important information off of their iPhones without knowing what actually goes on behind the scenes.
iOS, as with many versions of Android, typically stores files that users delete for 30 days in a “recycle bin” folder before permanently deleting them. Between those two points, the file sits there.
Forbes reports that Fluoroacetate, made of Richard Zhu and Amat Cama, was able to enter into the iOS 12.1 device through a malicious Wi-Fi access point — unsecured and unprotected — and manipulated the just-in-time code compiler in order to gain access to a “deleted” photo and capture it. The pair have also tested the hack with devices such as the Galaxy S9 and Xiaomi Mi 6 and have been successful.
All vendors have been contacted, so it’s up to them to patch the issue. Some phones do notify users and give them the choice of having the phone delete items in 30 days or immediately.