Security Research
Showing results for 
Search instead for 
Do you mean 

Keen Team exploits Safari for mobile browser category

Heather_Goudey on ‎11-12-2013 08:34 PM

We have our first winner! In the mobile browser category, Keen Team (from Keen Cloud Tech) demonstrated two iPhone exploits via Safari. The team of eight from China didn’t compromise the sandbox so they will be splitting the $27,500 as compensation.


In a world where social media is thoughtlessly ubiquitous, the Keen Team, with remarkable ease, demonstrated two exploits that were a wake-up call to those who share their personal information on mobile devices.


The team demonstrated two exploits against Safari on an iPhone 5 with the following results:

  • Captured Facebook credentials on iOS version 7.0.3
  • Stole a photo on iOS aversion 6.1.4

Note that these phones are NOT jail-broken.


The first was an application exploit. Via Safari, the team were able to steal a Facebook cookie that was then exfiltrated and used to compromise the targeted Facebook account from another machine. In order for the exploit to work, a user would need to click on a link in an email, an SMS, or a web page, so some social engineering would be required to prompt a user to take an action before their credentials could be compromised.


Regardless, this was a lesson to be careful with what personal details you share online and to think twice before you click.


The second was another Safari exploit and it took a little longer due to technical difficulties (we forgot to plug their laptop in). In this case the vulnerability in Safari was exploitable due to issues with the permissions model. Keen Team was able to access photos stored on the device. Again, in order to be successful the affected user would need to click on a link.


Both exploit demonstrations took no more than 5 minutes to achieve.


To the best of our knowledge, these vulnerabilities do not affect Blink (a rendering engine for the Chromium project).


The vulnerabilities have been disclosed to Apple and Google, and they’ll be working to research and remediate these issues as applicable. (The vuln was disclosed to Google in order to verify that Blink, and thus Chrome, was not affected).


Keen Team was represented by Daniel Wang, James Fang and Liang Chen. This team also includes Wu Shi, a former external ZDI platinum researcher, renowned for spotting a broad range of vulnerabilities on multiple platforms. Keen Team are the first Chinese team to win at Pwn2Own.


Up next, Takeshi Terada and Tomonori Shiomi, of Mitsui Bussan Secure Directions, Inc. are attempting exploits against several applications installed by default on the Samsung Galaxy S4.


 You can find the contest rules here.

About the Author


Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
February 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during the online Expert Days - see details below. Software experts do not monitor this foru...
Read more
See board event postings
Vivit Events - 2016
Learn about upcoming Vivit webinars and live events in 2016.
Read more
View all