Jailbreakme: executing native code using the browser, how it works and the security problem behind

Today, August 1st, 2010, a new website (and trending topic) appeared that allow you to jailbreak your iPhone, iPod or iPad using iOS 3.1, 3.2 or 4.0: Jailbreak Me.

The main advantage of this new jailbreak method is that the process is done entirely from the browser, Safari on iOS. Therefore, it took my attention.

How can a website, with just HTML, CSS and JavaScript can execute a code that changes the operating system?

If you don’t know what jailbreak is: an operating system cracking method that allows the installation of not-allowed by Apple applications. Since July, 2010, jailbreaking is legal in United States but not authorized by Apple for the warranty (but you can always restore your original OS).

I analyzed the JavaScript source code from Jailbreakme to understand the process. It has an excellent solution to detect which iOS device is using different JavaScript techniques, including execution of SunSpider JS benchmark that I can talk about it in other post.

After detecting the device and OS version, the part doing the jailbreak is just a PDF file. A PDF file? Yes, the jailbreak is done using just a PDF inside an invisible iframe, so I believe that this website is using a PDF security vulnerability for all iOS versions. Here is the code:

var a = document.createElement("iframe");
a.setAttribute("src", page);
a.style.position = "absolute";
a.style.opacity = "0.000001";
a.style.width = "100px";
a.style.height = "100px";
a.style.zIndex = "-9999";

The page object has the URL of any of these PDF files found on http://www.jailbreakme.com/_/

So, there is no magic behind this website, just a vulnerability on the PDF viewer. However, the website is very clever, and has a great implementation of JavaScript and CSS extensions on WebKit to deliver a great visual experience.

I don’t have more information about the PDF itself up to now, because this security problem can lead also to some potential problems for iOS. I mean, any website can now jailbreak your device without your consent! Or maybe install something else on the device. I’m pretty sure that Apple will update the OS to solve this vulnerability but, until now, we have time to test over this security hole over Safari on iOS.

You can access the FAQ of the website, or jailbreak your own iOS device pointing Safari to http://www.jailbreakme.com if you want to test it by your own responsability.


3 thoughts on “Jailbreakme: executing native code using the browser, how it works and the security problem behind

  1. Wow
    if any website can jailbreak your iDevice; and that ends your warranty; Apple should think about changing it’s warranty policy because it’s supposed that I bought an iDevice to do many things, including web browsing. I’m not responsibly of the content of the sites; and in fact I can not know what does a site contain until I visit it.

    Or, may be Apple in fact wants us to jailbreak their devices? Without jailbreaking, Apple will have much less customers. May it be a feature which can not be publicly declared because of contracts with many other enterprises?

Leave a Reply

Your email address will not be published. Required fields are marked *