15,978 iOS applications was affected by RCE ZipperDown security vulnerabilities
According to Pangu Lab’s iOS application security audit process for different customers, found a common type of security vulnerability ZipperDown, an attacker can use this vulnerability to damage the application, it has been detected that about 10% of iOS applications may have this problem, these are probably 15,978 iOS applications, including Weibo, Netease cloud music, QQ music, fast hand, street and so on. There are similar vulnerabilities on the Android platform and are currently being confirmed. “It depends on the affected app and its privileges. In general, attackers could overwrite the affected app’s data, or even gain code execution in the context of the affected app. Note that the sandbox on both iOS and Android can effectively limit ZipperDown’s consequence.”
We confirmed several iOS apps with more than 100 millions users are vulnerable to #ZipperDown#, and found more than 10k iOS apps might have the same or similar issues. Check https://t.co/WOg5AGzREb and contact us for details and fix if your app is in the list.
— PanguTeam (@PanguTeam) May 15, 2018
Through the given test video, we can see that users use microblogs in an insecure WiFi environment. An attacker can use this vulnerability to obtain any code execution capability in microblog applications. According to Pangu Lab’s description, the loophole itself is more classic, but it is rare to find a large area in the iOS application.
We are releasing Janus, a mobile threat intelligence platform https://t.co/9I0Paj76mv. Find intro doc at https://t.co/2qxRCKXqjf. Our team is now conducting security research on mobile apps. If you need security auditing for your apps, please contact us.
— PanguTeam (@PanguTeam) May 15, 2018
Currently, users can view the affected applications through the ZipperDown vulnerability website provided by Pangu Lab. The affected list is continuously updated.