Zerodium’s $1 million bounty for hacking the new iOS 9 has apparently been claimed. The company posted a tweet on its Twitter account congratulating the winners. The company had announced the bounty program, called Million Dollar iOS 9 Bug Bounty in September and had given hackers till October 31 to come up with a zero-day exploit of the iOS 9 OS.
In its tweet, Zerodium said, “Our iOS #0day bounty has expired & we have one winning team who made a remote browser-based iOS 9.1/9.2b #jailbreak (untethered). Congrats!” They didn’t mention who won the bounty. They were also not clear if the security exploit was limited to Apple’s Safari web browser or all browsers used on the devices. If this is true, and Zerodium does indeed have a hack, then it is possible that all Apple devices running iOS 9, including the new iPhone 6s and the 6s Plus, are vulnerable.
Zerodium is a zero-day acquisition platform that was willing to pay out $1 million to each individual or team who could create and submit an exclusive, browser-based, and untethered jailbreak for iOS 9. The company was ready to pay a total of $3 million in rewards for iOS 9 exploits and jailbreaks. The program was aimed towards experienced security researchers, reverse engineers, and jailbreak developers. There were a number of conditions for any submission to be eligible for the bounty. One of these conditions was that any submission must lead to and allow remote, privileged, and persistent installation of an arbitrary app on a device with iOS 9. Another condition was that the attack could be through a webpage that targets the default configuration of mobile Safari or Chrome. It could also be through a webpage that targets any app that it reachable through the browser. The attack could also occur through a text or multimedia file delivered through SMS or MMS. The company had also said that the whole process should be achievable remotely and silently without any interaction from the user except when they visit a page or read a SMS/MMS. Zerodium had also said that Submissions must include a full chain of unknown, unpublished, and unreported vulnerabilities/exploits. However, it had said that it may make a distinct offer for the partial exploit.