September 27, 2020

Two whitehats receive $60,000 in rewards for successfully finding iOS 12.1 vulnerabilities

1 min read

Invoking the blog post content updated on the Zero Day Initiative website, two white-hat hackers, Richard Zhu and Amat Cama, successfully found the vulnerability on the iPhone in the Mobile Pwn2Own contest held in Tokyo, and finally won $60,000 bonus. In a live demo,  two whitehats successfully access deleted photos on iPhone X running iOS 12.1 via Safari using just-in-time (JIT) compilation vulnerability after connecting to malicious WiFi.

The two whitehats also found that using this vulnerability, not only can access the deleted photos but also access other file content. And the deleted photo happens to be just the first folder encountered during the presentation. During the subsequent demonstration, the two white hats used the combination of JIT vulnerabilities in the web browser to perform sandbox escaping and lifting rights. This demo gave them a $60,000 reward and 10 Pwn points. In the first day of the competition, they won a prize of 140,000 US dollars and ranked 31st in the Master of Pwn.