A team of hackers has discovered an exploit that allows them to remotely jail-break and install malicious apps on iPhones. No information about the zero-day exploit is being released, but security startup Zerodium is saying that it is paying out the bounty that it posted back in September: a cool $1 million.
Zerodium had originally promised the bounty to anyone who could build an exploit targeting either Chrome or Safari. These are the two most popular browsers on among Apple users, and is likely the reason for the narrow requirements. According to Zerodium, two teams managed to submit their exploits before the 31 October closing date for the bounty; although only one was fully working.
The real question at the moment is what Zerodium intends to do with the knowledge that it has. The company is run by founder Chaouki Bekrar, who intends to sell the information to US based customers. Who these customer are is unknown, but it does not look like Bekrar is interested in sharing what he knows with Apple. Bekrar’s previous company, Vupen, was in the business of building zero-day exploits and selling them to governments.
It looks like Bekrar is still in the same business, although he seems to be just as happy buying the exploits to be sold later. However, Bekrar has said that his company is announcing the payout of the bounty so that people are aware that while iOS is an extremely hardened target, it is not invulnerable.