Today, August 1st, 2010, a new website (and trending topic) appeared that allow you to jailbreak your iPhone, iPod or iPad using iOS 3.1, 3.2 or 4.0: Jailbreak Me.
The main advantage of this new jailbreak method is that the process is done entirely from the browser, Safari on iOS. Therefore, it took my attention.
If you don’t know what jailbreak is: an operating system cracking method that allows the installation of not-allowed by Apple applications. Since July, 2010, jailbreaking is legal in United States but not authorized by Apple for the warranty (but you can always restore your original OS).
After detecting the device and OS version, the part doing the jailbreak is just a PDF file. A PDF file? Yes, the jailbreak is done using just a PDF inside an invisible iframe, so I believe that this website is using a PDF security vulnerability for all iOS versions. Here is the code:
var a = document.createElement("iframe");
a.style.position = "absolute";
a.style.opacity = "0.000001";
a.style.width = "100px";
a.style.height = "100px";
a.style.zIndex = "-9999";
The page object has the URL of any of these PDF files found on http://www.jailbreakme.com/_/
I don’t have more information about the PDF itself up to now, because this security problem can lead also to some potential problems for iOS. I mean, any website can now jailbreak your device without your consent! Or maybe install something else on the device. I’m pretty sure that Apple will update the OS to solve this vulnerability but, until now, we have time to test over this security hole over Safari on iOS.