A newly discovered timestamp security bug may leave your iOS device photos exposed regardless of whether or not your device is passcode locked. Ade Barkah, a Canadian tech consultant, has figured out that changing the time on your device will leave any photo taken in the “future” accessible via the quick camera toggle on the home screen.

The quick toggle is a new feature in iOS 5 that allows you to double tap your home button to access your camera app. From there you can tap into your image gallery. If your device is passcode locked, you will receive a message asking you to unlock your device to view photos. Unless you change the time on your device. Anything taken after that time stamp will be viewable as the phone will assume nothing exists after that point in time.

Turns out Apple’s restriction is just a simple filter based on the timestamp when the Camera app was invoked. You’re allowed to see all images with a timestamp greater than this invocation time. Yet that leads to an immediate hole: if your iPhone’s clock ever rolls back, then all images with timestamps newer than your iPhone’s clock will be viewable from your locked phone.

This could be a potential issue for anyone that travels frequently or has a need to change timezones. You can test this by simply changing the time and popping into your quick toggle even when the device is locked. Better get to deleting those inappropriate pictures!

Source: Peekay.org via CNET

Skype has stated they are aware of a serious cross-site scripting vulnerability within the chat feature for Skype on the iPhone. The security hole could allow for malicious JavaScript code to access to your address book and is known to affect versions 3.0.1 and below.

Skype reached out to TechCrunch to say they’re hard at work on getting an update pushed to the App Store.

We are working hard to fix this reported issue in our next planned release which we hope to roll out imminently. In the meantime we always recommend people exercise caution in only accepting friend requests from people they know and practice common sense internet security as always.

The funny thing is, Skype has known about the issue for a while now. AppSec Consulting security researcher Phil Purviance helped discover the problem and let Skype know about it almost a month ago. Skype responded saying they would release an update earlier this month, but we’re nearing the end of September and there’s no update to be found.

Here’s hoping Skype gets on this quick and pushes out an update soon, but in the meantime check out the video below detailing how the vulnerability works.

[superevr, TechCrunch]

Pwn2Own is a hacking contest which in previous years demanded OS exploits on day one, allowed browser vectors on day two (how OS X was compromised last year — thanks Safari!), and opened the floodgates with 3rd party bugware on day three. First person to successfully hack a machine won it as a prize, along with a nice cash bounty for their troubles.

This year, Ars Technica says Pwn2Own is doing something a little different: they’re bringing in the mobiles!

Apple’s iPhone is front and center on their target list, along with the Google Android G1, and devices from the BlackBerry, Symbian, and Windows Phone families. Pwn the mobile and you not only win it, but $10,000 to boot!

Not a lot of solid info on the rules yet, but we’ll keep a look out. Any white hats out there eager to try their luck?

Forbes.com (via TUAW) is claiming Ziphone jailbreak author Piergiorgio Zambrini has found a way to crash the iPhone (and other computer systems, according to Zambrini’s own website) using specially crafted video files:

The bug Zambrini found is in the audio portion of Apple’s video format. Knowing the bug exists, someone could write a program that incorporates the bug into a video file and trigger a crash whenever an iPhone attempts to run that file. The bug, which is located in a shared code library that is used across most Apple operating systems and some Linux ones as well, doesn’t appear to cause any permanent damage, but immediately sends the device into a panic that leads to a lengthy reboot.

Since it crashed the device and not just the app, one security expert quoted feels it’s a kernal vulnerability that’s been discovered. Zambrini, who paradoxically claims to have both applied for a job with Apple’s security team, and that working for Apple is not his goal, is apparently exploring the vulnerability as a way to inject malicious code.

Lovely.

Howsabout next time we be a little more responsible and keep the information confidential, alerting only the OS makers involved, giving them a reasonable amount of time to patch the problem before we put real world end-users at risk by alerting bad guys to potential exploits, b’okay?

Last week the UK ruled that Apple was misrepresenting the iPhone’s provisioning of “just the internet” due to the lack of support for two ubiquitously popular 3rd party plugins: Flash and Java. We’ve previously covered the will they/won’t they drama surrounding development and deployment of Flash and Java pretty much ad nauseum infinitum, as well as some seldom discussed yet surprisingly frightening concerns about Flash and its downright sneaky use of 3rd party advertising cookies.

More recently, however, another issue has come to light. Primarily concerned with Windows Vista security and how it can be circumvented, this issue throws a renewed focus on the danger of 3rd party plugins like Flash and Java, on how they interpret and run code on our machines, and how they provide an increasingly popular attack vector for bad guys (hackers, malware authors, identity thieves, etc.)

How does this all relate to the iPhone, and what about ZOMG! Can has my Flash vidz? Read on to find out!

Before we begin, I’ll just mention again that I’m a long time (10+ years) web developer who works quite a bit with Flash. I’ll also add that some coverage of the issues I’m about to get into has tended towards the sensationalistic. The sky is not falling. We’re not doomed. Or, at least, not because of anything to do with Flash, Java, or the iPhone.

Caveat’d enough? Good.

Back in early August at the Black Hat conference, Alexander Sotirov and Mark Dowd presented a paper amusingly titled How to Impress Girls with Browser Memory Protection Bypasses. While Vista security proper is beyond the scope of this blog, as Operating Systems like OS X on the iPhone become increasingly hardened against security exploits, the web browser becomes the path of least resistance for hackers to get at us and our stuff.

The iPhone’s browser, MobileSafari is currently the closest thing to a desktop-class rendering engine as can be found on a handset. It’s based on the same WebKit core as Safari for Mac and Windows, and so it’s not unreasonable to imagine it shares the same advantages (real HTML, CSS, and AJAX) and risks (can be exploited). This could potentially include buffer overruns, cross site scripts, and — yes — plugin vulnerabilities.

On a recent episode of the TWiT network’s popular Security Now! podcast, Steve Gibson summed up the problems with Flash and Java:

Their technologies, especially in the case of Java, Java has, deliberately has readable, writable, and executable memory because of the way it operates. o it’s a big target. And so many of these third-party things, which you could pretty much depend upon, you know, Flash player is installed in the high 90 percentile of Windows machines so you can count on it being there.

And what if we could likewise count on their being on the iPhone? What potential problem could that expose?

Certainly after this paper has come out where these guys demonstrate clearly the exploitability of Flash, which is not [Data Execution Prevention] compatible, it’s like, okay, Adobe, if you want your code in my machine, you make it safe. Because we’ve seen a bunch of Flash exploits here in the last few months. And, you know, this wouldn’t be possible if Adobe would do the work. I don’t care how hard it is, it’s certainly possible to code around this [...] Basically this is laziness. In this day and age, for Flash still not to be marked as DEP friendly when it is in a highly vulnerable environment, it’s not like it’s something down on your tray, it’s in your browser. And we know what a target browsers are just by their very nature. I mean, in fact, the whole focus of this paper was specifically browser vulnerability. [...] It is very common applications like Silverlight, like Flash, commonly used components, or even Media Player, that are invokable by the browser and still not yet safe, that is really now the main target of exploitation.

We’ve already seen MobileSafari exploits in the wild (indeed, a TIFF-based vulnerability was one of the first ways people found to jailbreak the iPhone 1.1.1 — just by entering a URL in the browser!)

Again, this is not breakworld stuff. No need to panic and lock your handset in a lead box. Future versions of Flash and Java (and similar plugins) will likely address these issues.

Just remember, for now, that the iPhone is tremendously popular, and thus will be a tremendously popular target for hackers. Apple already has to worry about securing the HTML, CSS, AJAX (Javascript), and Quicktime (which they own and can therefore rapidly address) components of Mobile Safari. Add to that the complications of 3rd party code interpreters with a very real history of not only exploits, but (in the case of Flash) for being bloated and buggy on the Mac (another thing Adobe has chosen not yet to prioritize fixing), and it begins to make more sense why we haven’t seen Flash or Java on the iPhone, a device that knows who we are (all our date) and where we are (3G aGPS).

But wait, other smartphones run versions of Flash and Java, though, don’t they? Sure, but I’d argue that the iPhone isn’t really a smartphone, it’s a mobile computer. Full darwin kernal, BSD networking — pretty much a UNIX box in your pocket. To me, that’s a far bigger target than Palm OS, the Java Micro Edition inside a Blackberry, and even Windows Mobile (which, despite the name, is a very different animal under the covers than Microsoft’s desktop OS).

And isn’t there a battle going on for the Rich Internet Application (RIA, aka WebApp) space? You betcha. Google didn’t just drop Chrome for no reason. SproutCore, Flash/Air, Silverlight/.Net, Prism, Safari, Java, etc. all want to own what’s likely the next major computing platform (the web “cloud”).

Bottom-line: Both for Apple and for consumers, the advantages for Flash and Java currently do not outweigh the drawbacks, especially as standard web technologies continue to decrease the gap between proprietary plugin capabilities and the open internet (HTML, CSS, AJAX).

That’s my opinion, at least. What’s yours?