Apple has accidentally re-introduced a bug in iOS 12.4 that can jailbreak an updated iPhone, and also expose the same device to easy take over from a malicious app.
Ironically, Apple originally patched the bug in iOS 12.3 back in May, but for some reason failed to do so in iOS 12.4, which was released last month, according to Motherboard, which was first to report the news. As a result, the iPhone jailbreaking community has had a field day exploiting the flaw.
FWIW, you can now use Apple Card on a jailbroken firmware (iOS 12.4) — Credits to @Apple for making the jailbreak possible. — Pwn20wnd is reviving 0-Days (@Pwn20wnd) August 18, 2019
On Sunday, the hacker Pwn20wd publicly released a jailbreaking tool that exploits the bug in iOS 12.4 to let you modify Apple's operating system, and install unsanctioned third-party apps. Since then, users on Twitter have been posting screen shots and video, claiming the tool works.
So far, Apple hasn't commented on the issue, but the vulnerability is also bad news for the security of iOS. That's because the bug in question can also help cybercriminals and state-sponsored spies to install malware over an iOS device.
By exploiting the vulnerability, a malicious application can execute code on an iPhone or iPad with system privileges, bypassing the iOS "sandboxing" protections on board, according to Apple's original report on the bug. As a result, security researchers are warning iPhone owners with iOS 12.4 to be careful around suspicious internet links and attachments; it may only be a matter of time before hackers try to exploit the vulnerability with malicious apps or web pages that attempt to exploit the bug to take over an iPhone.
"Today is a good day for makers of spyware and a bad day for everyone who owns an iPhone," said Eva Galperin, cybersecurity director at the Electronic Frontier Foundation in a tweet.
Fortunately, Apple appears to be working on a patch, according to Motherboard.