Apple iOS v8.x - Message Context & Privacy Vulnerability

Technical Details & Description:
================================
A design issue and a glitch bug has been discovered in the official Apple iOS v8.1.2 mobile device operating system. The vulnerability allows to use a design misconfiguration in connection with a glitch to compromise device data/information. During the security tests of the vulnerability laboratory we relieved that the interface allows due to a design flaw that a local attacker can capture/access temp saved app information. In our testings we used the wickr software and was typing inside of the users bar a username to chat, then we marked the username word context. After that the local attacker can use siri to glitch in the existing menu back to the pass code screen. By default the internet settings can be disabled or the attacker turns down the switch. Now the app requires an authorization to access because the task is still running. Ahead to the login the copy mask is glitched in the process and the attacker can copy the information back to the notepad or anything else. The same trick works well with any input thats allows to use the menu ahead in an app. The controls of the interface guess to refresh the app task controls on reactivation which results in a design issue and glitch bug that allows to compromise for example local information or data. We already informed wickr about the issue but they refered us to the apple security team. Vulnerable Version(s): [+] Apple iOS v8.0, v8.1.2 & iOS 8.0.2 Vulnerable Hardware: [+] iPhone 5, iPhone 5s & iPhone 6

Proof of Concept (PoC):
=======================
The local glitch issue can only be exploited by local attackers with physical device access and without user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. 1. Open the wickr app 2. Start to write somebody a messsage but do not send it 3. Mark the message text to get the and push twice to get the message menu context (select, input, define & paste) Note: Leave the config like it is with the available message menu context 4. Press the siri button next to the keyboard 5. Now press the siri symbole by pushing 2 seconds the home button 6. Make a screenshot by usage of the power button and press only the power button again after it 7. Disable the internet connection by usage of the default menu bar ahead to the pass code login (bottom sidebar) 8. After the disconnect the local attacker login to the pass code 9. Opens the app again Note: Now the app requires that the user login to get access to the messages 10. Ahead to the task has the message menu context bar glitches and temp saved since a button in the task gets pushed 11. We click to copy the input and switch back to the notepad service. Now we are able to save the information of the app through the glitch. 12. Successful reproduce of the local glitch issue that affects the local app security. Video Demonstration: The video demonstration shows how a secure app blocks the access after the internet connection has been canceled. During a glitch that allows to jump out of the app menu context with siri the issue allows to copy still marked context input. The researcher demonstrates the issue in the wickr app. He copies in the running task, disconnects and uses a glitch the get the information of the input without authorization of the app. The glitch can be exploited in connection with the siri function but without direct usage.

Video: Link

Solution - Fix & Patch:
=======================
The vulnerability can be patched by a app task process refresh of the message mark context menu (select, past, copy & define). That would provoke that the menu is ever closed when processing to open a secure app that has already been started ago.

Security Risk:
==============
The security risk of the security glitch issue in the apple ios is estimated as medium. (CVSS 4.2)

Source: Link