Apple has had a horrendous last few days. At the recent Black Hat convention, security researchers managed to hack Apple’s Face ID system and later on, it was discovered that Apple was activating a secret software inside its latest iPhones that sends users a warning and disables features if their battery hasn’t been replaced at an official Apple Store. Now, Apple’s week of extraordinarily bad luck continues as a serious security flaw has been unearthed which every iPhone and iPad user needs to know about.
As per a report by Apple Insider, a security firm called Check Point has revealed that they have found a way to hack each and every iOS device that runs iOS 8 all the way up to the unreleased iOS 13. This hack covers up to eight years of iOS devices which starts from the 2011 iPhone 4S and Apple CEO Tim Cook claims that there are 1.4 billion iPhone and iPad users the world over. This means that pretty much every iOS user around the globe is at risk.
Check Point states that the iOS Contacts app can be exploited using the basic SQLite database that any search of Contacts can trick the iPhone or iPad into running a malicious code that’s capable of stealing user’s data and passwords.
Check Point states, “SQLite is the most wide-spread database engine in the world. It is available in every operating system, desktop and mobile phone. Windows 10, macOS, iOS, Chrome, Safari, Firefox and Android are popular users of SQLite."
However, the startling revelation is that why should the Contacts app vulnerability exist in the first place? If Check Point is right, then this capitalizes on a known bug that Apple has failed to address for four years.
Check Point researcher’s write, “Wait, what? How come a four-year-old bug has never been fixed?" This feature was only ever considered vulnerable in the context of a program that allows arbitrary SQL from an untrusted source and so it was mitigated accordingly. However, SQLite usage is so versatile that we can actually still trigger it in many scenarios."
In other words, Apple got sloppy and Apple Insider explains, “The bug has been considered unimportant because it was believed it could only be triggered by an unknown application accessing the database, and in a closed system like iOS, there are no unknown apps. However, Check Point's researchers then managed to make a trusted app [the ubiquitous Contacts app] send the code to trigger this bug and exploit it.”
This appears to be a lazy oversight which has some potentially severe consequences. However, the hackers need an unlocked iOS device to exploit it but this may change. An elated report by Forbes states, “After all, just last month six flaws were found in iMessage which allowed hackers to read your files from anywhere and one of them remains unpatched to this day. “