Security Research
Showing results for 
Search instead for 
Do you mean 

Keen Team exploits Safari for mobile browser category

Heather_Goudey on ‎11-12-2013 08:34 PM

We have our first winner! In the mobile browser category, Keen Team (from Keen Cloud Tech) demonstrated two iPhone exploits via Safari. The team of eight from China didn’t compromise the sandbox so they will be splitting the $27,500 as compensation.


In a world where social media is thoughtlessly ubiquitous, the Keen Team, with remarkable ease, demonstrated two exploits that were a wake-up call to those who share their personal information on mobile devices.


The team demonstrated two exploits against Safari on an iPhone 5 with the following results:

  • Captured Facebook credentials on iOS version 7.0.3
  • Stole a photo on iOS aversion 6.1.4

Note that these phones are NOT jail-broken.


The first was an application exploit. Via Safari, the team were able to steal a Facebook cookie that was then exfiltrated and used to compromise the targeted Facebook account from another machine. In order for the exploit to work, a user would need to click on a link in an email, an SMS, or a web page, so some social engineering would be required to prompt a user to take an action before their credentials could be compromised.


Regardless, this was a lesson to be careful with what personal details you share online and to think twice before you click.


The second was another Safari exploit and it took a little longer due to technical difficulties (we forgot to plug their laptop in). In this case the vulnerability in Safari was exploitable due to issues with the permissions model. Keen Team was able to access photos stored on the device. Again, in order to be successful the affected user would need to click on a link.


Both exploit demonstrations took no more than 5 minutes to achieve.


To the best of our knowledge, these vulnerabilities do not affect Blink (a rendering engine for the Chromium project).


The vulnerabilities have been disclosed to Apple and Google, and they’ll be working to research and remediate these issues as applicable. (The vuln was disclosed to Google in order to verify that Blink, and thus Chrome, was not affected).


Keen Team was represented by Daniel Wang, James Fang and Liang Chen. This team also includes Wu Shi, a former external ZDI platinum researcher, renowned for spotting a broad range of vulnerabilities on multiple platforms. Keen Team are the first Chinese team to win at Pwn2Own.


Up next, Takeshi Terada and Tomonori Shiomi, of Mitsui Bussan Secure Directions, Inc. are attempting exploits against several applications installed by default on the Samsung Galaxy S4.


 You can find the contest rules here.

0 Kudos
About the Author


Nov 29 - Dec 1
Discover 2016 London
Learn how to thrive in a world of digital transformation at our biggest event of the year, Discover 2016 London, November 29 - December 1.
Read more
Each Month in 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all