Two whitehats receive $60,000 in rewards for successfully finding iOS 12.1 vulnerabilities
Invoking the blog post content updated on the Zero Day Initiative website, two white-hat hackers, Richard Zhu and Amat Cama, successfully found the vulnerability on the iPhone in the Mobile Pwn2Own contest held in Tokyo, and finally won $60,000 bonus. In a live demo, two whitehats successfully access deleted photos on iPhone X running iOS 12.1 via Safari using just-in-time (JIT) compilation vulnerability after connecting to malicious WiFi.
That brings to an end #Pwn2Own Tokyo 2018! Congrats to team @fluoroacetate on earning 45 points and being crowned Master of Pwn! #P2OTokyo pic.twitter.com/5MVzayd5aF
— Zero Day Initiative (@thezdi) November 14, 2018
The two whitehats also found that using this vulnerability, not only can access the deleted photos but also access other file content. And the deleted photo happens to be just the first folder encountered during the presentation. During the subsequent demonstration, the two white hats used the combination of JIT vulnerabilities in the web browser to perform sandbox escaping and lifting rights. This demo gave them a $60,000 reward and 10 Pwn points. In the first day of the competition, they won a prize of 140,000 US dollars and ranked 31st in the Master of Pwn.
