Apple’s iOS 12.4 update accidentally unpatched a vulnerability that was fixed in iOS 12.3, once again enabling the ability to jailbreak iOS 12.4 devices. (Via Motherboard)
Security researchers found this weekend that iOS 12.4, the latest version released in June, reintroduced a bug found by a Google hacker that was fixed in iOS 12.3. That means it’s currently relatively easy to not only jailbreak up to date iPhones, but also hack iPhone users, according to people who have studied the issue.
A publicly available, free jailbreak is now available from Pwn20wnd, and works on devices running the latest version of iOS, or any version of iOS below 12.3.
Security researcher Jonathan Levin told Motherboard that the accidental “unpatch” once again makes iPhone users vulnerable to a “100+ day exploit,” referring to how long the bug has been around.
Unfortunately, the bug can apparently be used to install spyware on a target iPhone, as pointed out by Ned Williamson from Google Project Zero:
The researcher told Motherboard that “somebody could make a perfect spyware” taking advantage of Apple’s mistake. For example, he said, a malicious app could include an exploit for this bug that allows it to escape the usual iOS sandbox–a mechanism that prevents apps from reaching data of other apps or the system–and steal user data.
Another scenario is a hacker including the exploit in a malicious webpage, and pairing it with a browser exploit, according to the researcher.
Security researcher, Stefan Esser has tweeted that people should be careful what apps they download from the App Store right now.
A number of users have confirmed that the jailbreak works once again, and that their device were able to have been jailbroken using the exploit. Apple will likely fix the bug very soon.