The ZipperDown Vulnerability could affect roughly 10% of iOS Apps

Experts from Chinese jailbreakers Pangu Lab, have recently discovered the ZipperDown flaw that could affect roughly 10% of iOS Apps.

ZipperDown, is a recently discovered vulnerability that could affect thousands of iOS apps and maybe also Android users.

The ZipperDown flaw was first reported by experts from Chinese jailbreakers Pangu Lab, that described it as described as a programming error.

The experts estimate 15,978 out of 168,951 iOS apps are affected, roughly 10% of the total. The list of affected apps includes popular applications such as Weibo, MOMO, NetEase Music, QQ Music and Kwai.

“While auditing iOS Apps from various customers, Pangu Lab noticed a common programming error, which leads to severe consequences such as data overwritten and even code execution in the context of affected Apps.” states the report published by the Pangu Lab.

“We created a signature for the issue and performed a large-scale search on our App analysis platform Janus. Surprisingly, we found that round 10% iOS Apps might be affected by the same or similar issues.”

Pangu Lab has not publicly released details of the flaw and are reporting the problem to the app publishers.

The hackers published a video PoC of the attack that shows a user downloading and using Weibo apps in an unsafe Wi-Fi environment. In this scenario, the attackers gain code execution in the context of user’s Weibo app by exploiting the ZipperDown vulnerability.

Loading video

According to the experts, an attacker can trigger the ZipperDown flaw if at least two unusual conditions are met. The first condition sees the attacker controls the WiFi network to which the device is connected, the second condition is that the app must be running outside the iOS “sandbox.”

An attacker could exploit the flaw to run illicit applications on the affected device, but Pangu Lab added that the sandbox on both iOS and Android can effectively limit ZipperDown’s consequence.

“What can ZipperDown do?

It depends on the affected app and its privileges. In general, attackers could overwrite the affected app’s data, or even gain code execution in the context of the affected app. Note that the sandbox on both iOS and Android can effectively limit ZipperDown’s consequence.” continues the report.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – ZipperDown, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.