Windows Phone security sandbox survives Pwn2Own unscathed

[jakem1]

Microsoft's Windows Phone emerged only partially scathed from this year's Mobile Pwn2Own hacking competition after a contestant failed to fully pierce its defenses.

 

A blog post from Hewlett-Packard, whose Zero Day Initiative organizes the contest, provided only sparse details. Nonetheless, the account appeared to show Windows phone largely surviving. An HP official wrote:

 

First, Nico Joly?who refined his competition entry on the very laptop he won at

this spring?s Pwn2Own

in Vancouver as part of the VUPEN team?was the sole competitor to take on Windows Phone (the Lumia 1520) this year, entering with an exploit aimed at the browser. He was successfully able to exfiltrate the cookie database; however, the sandbox held and he was unable to gain full control of the system.

 

No further details were immediately available. HP promised to provide more color about hacks throughout the two-day contest in the coming weeks, presumably after companies have released patches.

 

The Windows Phone attack came during day two of the mobile hacking contest. During day one, an iPhone 5S, Samsung Galaxy S5, LG Nexus 5, and Amazon Fire Phone were all fully hijacked. More details are here.

[BajiRav]

Nice!

[f0rk_b0mb]

The word "exfiltrate" means to extract or withdraw, which means he was able to download all your cookies to his machine. Although cookies don't store overly personal information, like login details, attackers can use this information to perform MITM attacks as well as spy on your browsing history. 

 

Also, I'm not posting links because I don't want to get warned, but extracting authentication cookies and injecting them into your own browsing session is child's play. It is as easy as using a greasemonkey script. This is a pretty big security hole that never should have seen the light of day.