Vincenzo Iozzo and Ralf Philipp Weinmann took part in Pwn2Own 2010, and managed to hijack iPhone’s SMS Database withing 20 seconds!
This duo used an exploit previously unknown and created a webpage. By luring targeted iPhone to the site, it will hijack the iPhone’s SMS database within 20 seconds.
Although this exploit will cause iPhone’s Safari to crash, but Weinmann said with more codes and effort, he could successfully attack without crashing the browser.
Weinmann explained :
Basically, every page that the user visits on our [rigged] site will grab the SMS database and upload it to a server we control
Weinmann, a 32-year-old from the University of Luxembourg, collaborated with Iozzo (a 22-year-old Italian researcher from Zynamics) on the entire hijacking process, from finding the vulnerability to writing the exploit.
The entire process took them about two weeks.
Iozzo and Weinmann received $15,000 for writing this contest-winning exploit, but no details of the hack will be released until Apple has been notified and is able to patch the vulnerability. [ZDNet]