A tutorial on using Frida to intercept HTTPS traffic from Flutter iOS applications without requiring VPN or iptables configuration, likely focusing on SSL pinning bypass techniques.
Ghost Reader AI is an offline iOS app that performs on-device text-to-speech using the Kokoro-82M model, requiring no internet connection or cloud processing while maintaining complete user privacy and supporting multiple document formats (PDF, EPUB, web articles, Markdown).
Researcher discovered a biometric authentication bypass in WhatsApp on both Android and iOS by exploiting the chat transfer feature when switching to WhatsApp Business, allowing unauthenticated access to locked chats. Two separate $500 bounties were awarded for Android (July 2023) and iOS (January 2024) variants of the same vulnerability.
AirDoS is a denial-of-service vulnerability in iOS that allows attackers to remotely spam nearby iPhones/iPads with infinite AirDrop share popups, rendering the UI unusable until the device is restarted or the user escapes Bluetooth/WiFi range. Apple patched it in iOS 13.3 (December 2019) with a rate limit that auto-declines requests after 3 rejections from the same device.
A researcher discovered a DoS vulnerability in WhatsApp for Android/iOS/Web where a malicious payload embedded in a contact file could crash the victim's phone upon delivery. The vulnerability was patched by Facebook/WhatsApp after ~2 months, and the researcher received a $500 bounty.
Researcher discovered a DoS vulnerability in WhatsApp for iOS and Android by sending specially crafted Unicode characters and emojis in contact names that would crash the application, earning a $500 bounty from Facebook Security.
Stored blind XSS vulnerability in Telegram iOS app allowing arbitrary HTML/JavaScript execution via unvalidated HTML files in webview, enabling device fingerprinting, user activity tracking, and IP geolocation. Successfully exploited by uploading malicious HTML file that executed JavaScript to extract navigator object data and communicate with attacker server.
A stored XSS vulnerability was discovered in Outlook.com's iOS browser implementation when viewing crafted PowerPoint files containing JavaScript protocol hyperlinks. The attack requires uploading a specially formatted .ppt file (saved as 97-2003 format) with a malicious javascript: URL, which executes when clicked in the email attachment viewer on iOS browsers.
Three XSS vulnerabilities discovered in ProtonMail for iOS: one via SVG onload in applewebdata origin, one via javascript URI requiring click interaction, and one via base64-encoded HTML embed in data origin. While XSSs do not allow email exfiltration, they enable JavaScript execution, privacy violations through tracking, phishing, and UXSS in privileged contexts.
CVE-2019-17004 is a semi-universal XSS vulnerability in Firefox for iOS that allowed attackers to execute JavaScript on arbitrary origins by exploiting insufficient checks on JavaScript execution via Location response headers, originating from the bookmarklets functionality. The vulnerability was also found in Brave for iOS and both vendors patched it after responsible disclosure.
Apple released security updates for older iOS and iPadOS versions (15.8.7 and 16.7.15) to address the Coruna exploit previously disclosed by Google, providing security fixes to devices unable to upgrade to iOS 17 or later.