Slashdot Mirror

← Back to Stories (view on slashdot.org)

Somebody Just Claimed a $1 Million Bounty For Hacking the iPhone (vice.com)

Posted by samzenpus on from the protect-ya-neck dept.

citadrianne writes with news that security startup Zerodium has just paid a group of hackers $1 million for finding a remote jailbreak of an iPhone running iOS 9. Vice reports: "Over the weekend, somebody claimed the $1 million bounty set by the new startup Zerodium, according to its founder Chaouki Bekrar, a notorious merchant of unknown, or zero-day, vulnerabilities. The challenge consisted of finding a way to remotely jailbreak a new iPhone or iPad running the latest version of Apple's mobile operating system iOS (in this case iOS 9.1 and 9.2b), allowing the attacker to install any app he or she wants app with full privileges. The initial exploit, according to the terms of the challenge, had to come through Safari, Chrome, or a text or multimedia message. This essentially meant that a participant needed to find a series, or a chain, of unknown zero-day bugs."

5 of 100 comments (clear)

  1. Exploit will be sold, kept secret from Apple by Anonymous Coward · · Score: 5, Insightful

    Unlike the last drive-by exploit (jailbreakme.com, several years ago), this one won't be used to create a jailbreak for users. Instead, the company plans to keep it secret from Apple, selling it to nefarious organizations such as “major corporations in defense, technology, and finance”. I'm sure that also includes government organizations.

    Lovely. If Apple had a bug bounty program, maybe the hacker would have sold it to them. Instead, their hubris sees them shut out, and their millions of users completely vulnerable.

    1. Re:Exploit will be sold, kept secret from Apple by postbigbang · · Score: 3, Insightful

      Apple's QA erodes further. They didn't pay bug bounties because they had the churl to believe in their own invincibility..... and like so many others, will meet their matches in new and interesting ways.

      --
      ---- Teach Peace. It's Cheaper Than War.
  2. Doesn't make sense to publicize by Anonymous Coward · · Score: 3, Insightful

    Surely an unknown zero-day remote exploit would worth more than a publicized one?

    If you are in the business of buying zero-days and sell to the highest bidder, it doesn't make sense to let Apple know that one is found. A much better approach is to require anyone claiming the bounty to keep quiet, so the buying can use the zero-day for much longer before anyone notice.

  3. Re: Stolen Work by Anonymous Coward · · Score: 5, Insightful

    Chrome on iOS isn't actually chrome. All the rendering is done by safari, since Apples app store rules don't permit 3rd party web renderers.

    Consider Chrome on iOS to be 'safari with a shell that syncs bookmarks'.

  4. Re: Exploit is though Chome browser by Anonymous Coward · · Score: 0, Insightful

    RTFA, works on Safari, Chrome, SMS or mms