Bug In iOS, OS X Allows AirDrop To Write Files Anywhere On File System

Trailrunner7 writes: There is a major vulnerability in a library in iOS and OS X that allows an attacker to overwrite arbitrary files on a target device and, when used in conjunction with other techniques, install a signed app that the device will trust without prompting the user with a warning dialog. Mark Dowd, the security researcher who discovered it, said he's been able to exploit the flaw over AirDrop, the feature in OS X and iOS that enables users to send files directly to other devices. If a user has AirDrop set to allow connections from anyone—not just her contacts—an attacker could exploit the vulnerability on a default locked iOS device. In fact, an attacker can exploit the vulnerability even if the victim doesn't agree to accept the file sent over AirDrop.

Re:The enabling technology, itself, is ridiculous.

[93+Escort+Wagon]

Given this bug, how can you know that?

If you'd read the article, you'd have seen that the way to bypass the authorization prompt was by "nstalling an enterprise provisioning profile on the device and marking it as trusted."

Sounds to me like AirDrop is superfluous in this case. If my device has an enterprise provisioning profile, I believe that enterprise can already put whatever it wants on it.

So, if anything, this sounds like a sandboxing issue (you can put files in arbitrary locations on the device) rather than an AirDrop issue.