Security researchers have warned hackers could exploit a vulnerability in the Apple iOS to steal data from iPhones, iPads and iPods.
The flaw has been exploited by the JailBreakMe website to allow users to upload software not approved by Apple onto their devices.
The Cupertino firm has not yet patched the zero day vulnerability, meaning users could potentially have malware downloaded on their Apple phones or tablets, security experts said.
Hacker group Dev-Team released the new jailbreak service this week, allowing users to hack their devices solely by following steps online through the mobile Safari browser.
Security researchers have warned the techniques used by Dev-Team could be modified by hackers to compromise Apple devices for malicious means.
Graham Cluley, senior technology consultant at Sophos, said the processes used by JailBreakMe raised some "important security concerns."
"If visiting the JailBreakMe website with Safari can cause a security vulnerability to run the site's code, just imagine how someone with more nefarious intentions could also abuse the vulnerability to install malicious code on your iPad or iPhone," Cluley said in a blog post.
"If they exploited the same vulnerability in a copy-cat manoeuvre, cybercriminals could create booby-trapped webpages that could - if visited by an unsuspecting iPhone, iPod Touch or iPad owner - run code on visiting devices."
He suggested the JailBreakMe team could have just given hackers a blueprint on how to infect iPads and iPhones.
However, JailBreakMe has not revealed how to actually exploit the vulnerability, meaning it hasn't truly gone public.
The JailBreakMe creators, known as comex, claimed on their website the vulnerabilities they used would eventually make iOS more secure.
"I did not create the vulnerabilities, only discover them. Releasing an exploit demonstrates the flaw, making it easier for others to use it for malice, but they have long been present and exploitable," one of the developers said.
"Although releasing a jailbreak is certainly not the usual way to report a vulnerability, it still has the effect of making iOS more secure in the long run."
Nevertheless, as reported by the Guardian, the German federal office for information security has deemed the situation serious enough to put out a warning on the "critical weaknesses."
Affected devices include the iPhone 3GS, iPhone 4, iPad, iPad 2 and the iPod Touch running iOS up to version 4.3.3, the German body said on its website. The soon-to-be-released iOS 5 could be affected too, once it is released in the Autumn.
Apple was forced to fix some flaws last year after the JailBreakMe crew used a number of security flaws to allow people to use non-approved apps.
UPDATE: Apple has confirmed it is working on a fix for the vulnerability.
"Apple takes security very seriously, we're aware of this reported issue and developing a fix that will be available to customers in an upcoming software update," a spokesperson said.
The JailBreakMe developers have written their own patch, which is available now, but it will only work for those who have jailbroken their device.
"Along with the jailbreak, I am releasing a patch for the main vulnerability which anyone especially security conscious can install to render themselves immune; due to the nature of iOS, this patch can only be installed on a jailbroken device," comex said.
"Until Apple releases an update, jailbreaking will ironically be the best way to remain secure."
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
