There were iPhone X, Samsung Galaxy S9, Xiaomi Mi6 which got pawned this year’s Pwn2Own Tokyo 2018.
There were teams from different countries or representing different companies and disclosed total of 18 vulnerabilities in mobile devices by Apple, Samsung, Xiaomi and those vulnerabilities allowed them to own root access.
Two security researchers, Amat Cama and Richard Zhu managed to exploit the vulnerability and fully pawned iPhone X.
Afterward, the Fluoroacetate team proceeded to exploit another mobile phone, Samsung Galaxy S9. They utilized a heap overflow in the baseband segment to get code execution on the mobile. This hack earned the group another $50,000 USD and 15 more points towards Master of Pwn. Fluoroacetate also hacked iPhone – JIT (Just-In-Time) vulnerability in the internet browser pursued by an Out-Of-Bounds write for the sandbox break and escalation. This hack brought them another $60,000 USD and 10 extra Master of Pwn points.
The MWR Labs group additionally joined three bugs to exploit the Samsung Galaxy S9 over Wi-Fi. They redirected the user and forced them to unsafe application to install there custom application. But they failed at first attempt, but they were successful in second attempt, which earned them $30,000 USD and 6 more Master Pwn points.
Another day at Pwn20wn started with more exploiting and vulnerabilities in iPhone X and Xiaomi Mi 6 by Fluoroacetate team.
Their first iPhone X 0-day combined a JIT bug in web browser along with the out-of-bounds access that resulted in deleted photo exfiltrated from the iPhone X. This vulnerability which they exploited got them $50,000 USD.