jakem1 Posted November 13, 2014 Share Posted November 13, 2014 Microsoft's Windows Phone emerged only partially scathed from this year's Mobile Pwn2Own hacking competition after a contestant failed to fully pierce its defenses. A blog post from Hewlett-Packard, whose Zero Day Initiative organizes the contest, provided only sparse details. Nonetheless, the account appeared to show Windows phone largely surviving. An HP official wrote: First, Nico Joly?who refined his competition entry on the very laptop he won at this spring?s Pwn2Own in Vancouver as part of the VUPEN team?was the sole competitor to take on Windows Phone (the Lumia 1520) this year, entering with an exploit aimed at the browser. He was successfully able to exfiltrate the cookie database; however, the sandbox held and he was unable to gain full control of the system. No further details were immediately available. HP promised to provide more color about hacks throughout the two-day contest in the coming weeks, presumably after companies have released patches. The Windows Phone attack came during day two of the mobile hacking contest. During day one, an iPhone 5S, Samsung Galaxy S5, LG Nexus 5, and Amazon Fire Phone were all fully hijacked. More details are here. vcfan, Stoffel, MDboyz and 2 others 5 Share Link to comment Share on other sites More sharing options...
BajiRav Posted November 19, 2014 Share Posted November 19, 2014 Nice! Link to comment Share on other sites More sharing options...
f0rk_b0mb Posted November 19, 2014 Share Posted November 19, 2014 The word "exfiltrate" means to extract or withdraw, which means he was able to download all your cookies to his machine. Although cookies don't store overly personal information, like login details, attackers can use this information to perform MITM attacks as well as spy on your browsing history. Also, I'm not posting links because I don't want to get warned, but extracting authentication cookies and injecting them into your own browsing session is child's play. It is as easy as using a greasemonkey script. This is a pretty big security hole that never should have seen the light of day. neo158 1 Share Link to comment Share on other sites More sharing options...
Recommended Posts