Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

ZipperDown Vulnerability May Impact 10% of All iOS Apps
BleepingComputer ^ | May 16, 2018 | By Catalin Cimpanu

Posted on 05/17/2018 5:21:51 PM PDT by Swordmaker


Security researchers from Pangu Lab, a well-known company that provides iOS jailbreaks, said on Monday that they have found a vulnerability that they believe affects around 10% of all iOS apps.

Researchers described the issue —which they named ZipperDown— as "a common programming error, which leads to severe consequences such as data overwritten and even code execution in the context of affected apps."

15,978 out of 168,951 iOS apps are most likely affected

Pangu Lab said it created an automated scan rule to search for ZipperDown in iOS apps. Researchers found that 15,978 out of the total of 168,951 iOS apps they scanned appeared to be impacted by the ZipperDown vulnerability, although, apps need to be manually inspected to confirm that they are affected.

We confirmed several iOS apps with more than 100 millions users are vulnerable to #ZipperDown#, and found more than 10k iOS apps might have the same or similar issues. Check https://t.co/WOg5AGzREb and contact us for details and fix if your app is in the list. — PanguTeam (@PanguTeam) May 15, 2018

The list of vulnerable apps also includes several high-profile iOS apps that have more than 100 million users, such as Weibo, MOMO, NetEase Music, QQ Music, and Kwai.

Researchers also published a demo video exploiting ZipperDown in the Weibo app to achieve code execution rights.

Devs of vulnerable apps have to contact the researchers

"Due to the large amount of potentially affected apps, we cannot verify all the results precisely," Pangu Lab said.

In addition, because so many apps are affected, researchers couldn't contact the developers of each app individually to inform them of the issue.

The company is asking the developers of apps found on its list of potentially affected apps to contact the research team to receive details about the ZipperDown vulnerability, so each developer can test and fix his application.

If you were the developer or vender of the apps on the list, you are welcome to contact us. We would share you the detail of ZipperDown, and let us cooperatively fix the potential issue in your app. We would also appreciate if you could notify us in the case that your listed app is not vulnerable. The best way to reach us is the following Email: zipperdown@pwnzen.com.

Android also affected

Pangu Lab researchers also said that Android applications are also affected by similar issues and that they will release more details in the future.

The good news is that exploiting ZipperDown is not as straightforward as other vulnerabilities and an attacker must be in a network position to hijack or spoofing traffic to the device.

Furthermore, "the sandbox on both iOS and Android can effectively limit ZipperDown’s consequence," researchers said.


TOPICS: Business/Economy; Computers/Internet
KEYWORDS: androidapp; applepinglist; iosapps

1 posted on 05/17/2018 5:21:51 PM PDT by Swordmaker
[ Post Reply | Private Reply | View Replies]

To: Swordmaker

Zipper down leads to severe consequences???

Can’t wait to see some comments about this.......


2 posted on 05/17/2018 5:23:18 PM PDT by Dilbert San Diego
[ Post Reply | Private Reply | To 1 | View Replies]

To: dayglored; ThunderSleeps; ShadowAce; ~Kim4VRWC's~; 1234; 5thGenTexan; AbolishCSEU; Abundy; ...
Vulnerability in about 10% of all tested iOS apps called ZipperDown could cause problems, although it would be difficult for a hacker to exploit, requiring network access and is also mitigated by sandboxing. Finder also claims the same vulnerability is in Android Apple. —PING!


Apple and Android App Vulnerability Ping!

If you want on or off the Mac Ping List, Freepmail me.

3 posted on 05/17/2018 5:25:39 PM PDT by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you hoplaphobe bigot!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Dilbert San Diego
Zipper down leads to severe consequences???

Can’t wait to see some comments about this.......

Could be painful. . . oooooh. . . even to think about it for a guy.

4 posted on 05/17/2018 5:27:13 PM PDT by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you hoplaphobe bigot!)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Swordmaker
So they don't have time to email 16,000 app developers, but they have bandwidth to respond to 16,000 emails from said developers?

I suspect that had they mentioned this to Apple, they could have found a way to quietly alert the devs.

5 posted on 05/17/2018 6:07:07 PM PDT by texas booster (Join FreeRepublic's Folding@Home team (Team # 36120) Cure Alzheimer's!)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Swordmaker

I prefer buttons Swordmaker...


6 posted on 05/17/2018 6:36:00 PM PDT by tubebender
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

There’s the quandary of wanting to let devs know the problem without publicly revealing the exploit, and of devs wanting to know the issue without exposing their vulnerabilities to a firm of questionable intentions.


7 posted on 05/17/2018 6:40:01 PM PDT by ctdonath2 (The Red Queen wasn't kidding.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker; Whenifhow; null and void; aragorn; EnigmaticAnomaly; kalee; Kale; 2ndDivisionVet; ...

billclinton syndrome...


8 posted on 05/17/2018 8:13:37 PM PDT by bitt (t)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
"Franks and Beans!"
9 posted on 05/18/2018 5:04:13 AM PDT by rlmorel (Leftists: They believe in the "Invisible Hand" only when it is guided by government.)
[ Post Reply | Private Reply | To 4 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson