Treason Bug Hacks into iPhones

Wednesday, April 25, 2012 @ 10:04 PM gHale

There is a high severity HTML Inject and File Include security holes in TreasonSMS, an iPhone application that allows users to send text messages from their desktop computers by turning the phone into a SMS webserver.

The remotely exploitable vulnerabilities allow an attacker to “include malicious persistent script codes on the application-side of the iPhone,” said researchers at the Vulnerability Lab.

Text Message Malware Hits Android
Android Apps Huge Malware Target
Popular App Means Malware’s Brewing
Malware Strikes Android Apps

The security hole can also inject webshell scripts that would give cybercriminals complete control of the affected application directory.

If the device ends up jailbroken, things become even more complicated. On tampered iPhones an attacker could take control not only of the application folder, but also of the entire phone.

“The Bug is located in the input fields of the Message Sending & Message Output. An attacker can scan the victim on walkthrough because the IP of the webserver makes the TreasonSMS available to anybody without password,” said Benjamin Kunz Mejri, founder and chief executive of Vulnerability Lab.

“To exploit somebody on a walkthrough it’s only required to scan for the stable IP via WLAN and access the panel for exploitation.”

Leave a Reply

You must be logged in to post a comment.