Apple iOS v8.x - Message Context & Privacy Vulnerability demonstrated in Wickr App

Apple iOS v8.x - Local Message Context & Privacy Vulnerability demonstrated in Wickr App

Due to some tests in the mobile vulnerability lab the german researcher Benjamin Kunz Mejri discovered a privacy issue in connection with a glitch. The issue allows to merge the message select context menu ahead to an application task even if the task requires an auth. The researcher reported the vulnerability to the apple product security team as responsible disclosure issue.

Technical Details

During the security tests of the vulnerability laboratory we releaved that the interface allows due to a design flaw that a local attacker can capture/access temp saved app information. In our testings we used the wickr software and was typing inside of the users bar a username to chat, then we marked the username word context. After that the local attacker can use siri to glitch in the exisiting menu back to the pass code screen. By default the internet settings can be disabled or the attacker turns down the switch. Now the app requires an authorization to access because the task is still running. Ahead to the login the copy mask is glitched in the process and the attacker can copy the information back to the notepad or anything else. The same trick works well with any input thats allows to use the menu ahead in an app.

The controls of the interface guess to refresh the app task controls on reactivation which results in a design issue and glitch bug that allows to compromise for example local information or data. We already informed wickr about the issue but they refered us to the apple security team.

Proof of Concept

The local glitch issue can only be exploited by local attackers with physical device access and without user interaction. For security demonstration
or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...

1.  Open the wickr app
2.  Start to write somebody a messsage but do not send it
3.  Mark the message text to get the and push twice to get the message menu context (select, input, define & paste)
Note: Leave the config like it is with the available message menu context
4.  Press the siri button next to the keyboard
5.  Now press the siri symbole by pushing 2 seconds the home button
6.  Make a screenshot by usage of the powerbutton and press only the power button again after it
7.  Disable the internet connection by usage of the default menu bar ahead to the pass code login (bottom slidebar)
8.  After the disconnect the local attacker login to the pass code
9.  Opens the app again
Note: Now the app requires that the user login to get access to the messages
10. Ahead to the task has the message menu context bar glitches and temp saved since a button in the task gets pushed
11. We click to copy the input and switch back to the notepad service. Now we are able to save the information of the app through the glitch.
12. Successful reproduce of the local glitch issue that affects the local app security.

Video Demonstration:
The video demonstration shows how a secure app blocks the access after the internet connection has been canceled. During a glitch that allows to jump out of the app menu context with siri the issue allows to copy still marked context input. The researcher demonstrates the issue in the wickr app. He copies in the running task, disconnects and uses a glitch the get the information of the input without authorization of the app. The glitch can be exploited in conenction with the siri function but without direct usage. 

The issue that has been disclosed also affects every app that requires after a second access or by time duration an auth to access. The simsme messenger of the telekom is also affected by the issue like wickr but the issue itself is located in Apples iOS.

Advisory: http://www.vulnerability-lab.com/get_content.php?id=1346