Researchers Vincent Iozzo and Ralf Philipp Weinmann have exploited a previously unknown vulnerability in a fully patched iPhone, managing to pull the entire SMS database – including deleted messages – from the phone.
The exploit involves luring a user to a website, and while it appears to the user as if a page is loading, the exploit is actually uploading the SMS database to a server. The entire process takes around 20 seconds.
It took the pair just two weeks to find the vulnerability and write the exploit, which Weinmann said could also be used to retrieve the contacts database, email database, photo libraries and music files.
TippingPoint ZDI acquired the rights to the information, and will withhold details of the exploit until Apple has patched the vulnerability. Iozzo and Weinmann took away a $15,000 cash prize, and the pwned iPhone, for their efforts.