iPhone, iPad (plus MacOS tools, on github)
Verbatim:
o *iPhone: a zero-day vulnerability allows spying on your personal data*
<
https://www.gizchina.com/2020/05/06/iphone-a-zero-day-vulnerability-allows-spying-on-your-personal-data/>
" This affects the latest iOS version 13.4.1."
"After a serious mail vulnerability, a new zero-day vulnerability
has appeared in iOS and iPadOS. Apple is again struggling with a
zero-day bug"
"users' personal data can be hacked due to a bug in reading XML files.
It allows hackers to bypass certain security checks before publication
on the App Store. This enables applications to have unlimited
privileges."
"the bug will be eliminated with the upcoming iOS 13.5 update"
"At the time of writing, this bug is still present on the latest
non-beta version of iOS."
The article published notes said to be from the hacker...
"*Well over 3 years since discovery* is not half bad for such a bug,
but I sure would've loved to keep it another decade or two,
and I know I'll dearly miss it in the time to come."
"We can also ask ourselves *how a bug like that could ever exist*.
Why there are 4 different plist parsers on iOS.
Why we are still using XML even."
See also these tools, also available on MacOS:
o AMFI/amfid entitlements check bypass, iOS sandbox escape.
<
https://github.com/Siguza/psychicpaper>
"This repo also contains a tool I called plparse, that can be used
to invoke three different XML/plist parsers present on macOS & iOS.
--
Bringing TRUTH to Apple newsgroup via verbatim application of simple facts.