Hackers can steal your cookies, but Windows Phone mostly survives Mobile Pwn2Own 2014 while iOS and Android fall


13, 2014

Author Surur // in News


The yearly Pwn2Own contest (with prizes as large as $150,000)  is running at present, and in a contest which saw the iPhone 5S, Samsung Galaxy S5, LG Nexus 5, and Amazon Fire Phone all giving up complete control to hackers Windows Phone had a partial victory (or defeat), managing to keep the rest of the OS safe while giving up your browser cookies to a hacker.

Security researcher Nico Joly, who previously won the Spring Pwn2Own contest in Vancouver as part of the VUPEN team, attacked the Nokia Lumia 1520 browser, and was successfully able to exfiltrate the cookie database; however, the sandbox held and he was unable to gain full control of the system.

The day before other handsets were not as lucky:

  • An iPhone 5S was taken down by a two-bug attack, one of which managed to execute a full sandbox escape in the Safari browser.
  • Hackers used Near Field communication (NFC) functionality to trigger a deserialization exploit in a Samsung Galaxy S5. A separate team also abused NFC to exploit a logical error also present in the S5, bringing the total number of successful hacks of the smartphone to two.
  • Yet a third hack involving NFC took down an LG Nexus 5 by forcing Bluetooth pairing between phones.
  • An attack wielding three separate bugs successfully commandeered the Amazon Fire Phone’s Web browser.

While Windows Phone survived, it was only against one attacker, and of course losing your cookies is not without its consequences, including being able to make one click purchases on Amazon for example.

The OS does however have a good reputation for security, and the yearly contest does nothing if it does not prove that there is no such thing as an invincible operating system, no matter what Apple and Samsung say.

All vulnerabilities found are immediately disclosed to the OS creators (in this case Microsoft) so hopefully this hole will soon also be patched.

Via Ars Technica

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}