A Chinese security researcher published the technical details of many vulnerabilities in Apple Safari web browser and iOS which permits a remote hacker to jailbreak and compromise victims’ iPhoneX running iOS 12.1.2 and earlier versions.
In order to do this, the hacker has to mislead the users to open a specifically crafted web page using Safari browser.
The exploit dubbed as “chaos”make use of two security vulnerabilities which was demonstrated initially at TianfuCup hacking contest held in November last year following reporting it to the Apple.
The researcher, Qixun Zhao of Qihoo 360’s Vulcan Team released proof-of-concept video demonstration of the exploit after Apple released their iOS version 12.1.3 to patch the issues.
The researcher states that the remote Jailbreak exploit is a blend of two vulnerabilities, which are a type confusion memory corruption flaw (CVE-2019-6227) in Apple’s Safari WebKit and a use-after-free memory corruption issue (CVE-2019-6225) in iOS Kernel.
Take a look at the video demonstration of the Chaos iPhone X jailbreak exploit
The Safari flaw permitted maliciously crafted web content to execute arbitrary code on the targeted device, and then used the second bug to elevate privileges and install a malicious application silently.
The code for iOS jailbreak has not been published to prevent any attack against Apple users and the researcher believes that the jailbreak community would use this information to find a suitable jailbreak exploit for users.
It is advised that the iPhone users must install the latest iOS update at the earliest rather than opting for a jailbreak.