A partial exploit in Windows Phone was found as part of HP's annual Mobile Pwn2Own event

A security researcher who took part in a competition sponsored by HP managed to find a partial exploit in Windows Phone on Wednesday, but he was unable to gain full control of its features.

The event was the annual Mobile Pwn2Own competition in Tokyo, Japan. Researcher Nico Joly was the only one to try to find a way to hack into Windows Phone during the event. He used a Lumia 1520 for his effort, in an attack on Internet Explorer. HP said, "He was successfully able to exfiltrate the cookie database; however, the sandbox held and he was unable to gain full control of the system."

The issue has since been disclosed to Microsoft, so it's possible we will see an update to Windows Phone that will close this partial exploit at some point in the future. Are these kinds of competitions helpful to Microsoft and other companies in finding problems that might otherwise be missed?

Source: HP (opens in new tab) Thanks to Alex K for the tip!

John Callaham
124 Comments
  • *draws breath* Noooooooooooo! EDIT: "Was unable to gain full control of it features"
    Didn't get to that part. :P
  • Well dats a sign to be beware.!! Atleast got a loophole to be fixed :|
  • No its a good thing it proves windows phone is one of the most secure of all mobile OS's. Unlike android or apple witch can be rooted it jailbroken. It show how good Microsoft is at making a secure Os. I know that windows of the past wasn't. As secure but with thirty years of experience they finally delivered a product that's damn near unhackable. Witch means that if they apply the same security features on windows 10 then it will be the most secure OS on all devices not just phone.
  • What? Only one person tried to jailbreak it and he was successful
  • You might wanna read the arrival again. Because to jailbreak or root a device you have to gain full control of the device windows phone sandbox held and try as he might he couldn't get full control of the device therefore no jailbreak or root.
  • Hacking events work like this. People enter into these contests. They can get rewards for hacking. Its usually split into categories like mobile hacking something like that and they get choices on which device they want to hack. They get rewards for getting a hack first and if they hack a system usually they are paid by whom ever they hacked to disclose the hack to them so they then can patch the security flaw. The hacker also prepares ahead of time by Making what ever he/she needs for the hacking event.
  • No, this is good. The exploit has been found and revealed to Microsoft so they can fix it. Also, good that the sandbox worked as intended.
  • My initial reaction was the same as SammyD97 but then I kept reading and the hopmedic within prevailed.
  • LOL!
  • But the big question is how fast can Microsoft release fix for this exploit. With such slow and indirect patch deployment as it is now, its hard to believe they will patch it quickly. 
  • That's a good point. I guess we'll have to wait and see. And hope.
  • Don't you remember the exploit found that could brick a phone only by sending a text message ? Microsoft released a fix for that in less than 1 week on all WP devices. I guess that they can speed up the process when it's about security.
  • Do you have a link to that information? I want to know more
  • but they Microsoft do not  act as quick in Chile for the Windows Phone platform , am somewhat tired of heard the comments like  "Microsoft released a fix for that in less than 1 week on all WP devices. "     yeah they do in the United States but in other countries theydo not act at all and   is like to Microsoft the rest of the countries do not exist in the map, is not Only USA,Canada and lately India and   the UK  in the map, about the news of the attempt of hack unsucessful is  great,  just   proves that   Microsoft can do the things better   than before  and also  while    be safer  an mobile platform    is better considering that  are used  in the  internet  for browse, gaming,  chat  and other stuffs.    
  • I actually had a little bit of hope. As dangerous as full control is, it would have allowed us to edit the registry and allow interoperability. (maybe)
  • That would have been awesome!!
  • This was quite an interesting read. There was an article on WMPU that indicates you may be able to crack Windows mobile with a simple hack http://wmpoweruser.com/stupidly-simply-hack-may-crack-open-windows-phone-8-1/
  • Those guys are deadly! MSFT should hire him..
  • Best way to outsmart a hacker is to use a better hacker.
  • That beyond said, it is good to know he couldn't fully exploit the loophole. Were breaches found in any of the other platforms?
  • Multiple breaches were found in Android devices (as well as an Amazon Fire Phone) along with the complete breach of iOS' Safari sandbox.
  • It's also important to note that he was the only person trying to hack into Windows phone at the event. Perhaps if more people hackers were trying to exploit WP there would have been more loopholes.
  • There was only one person trying to hack iOS as well, but he succeded.
  • and no one mention it. I tell you, this people are out to discredit MS/Windows Phone.
  • I am sure there will be plenty if the Windows Phone platform becomes more popular.  Just like apps go first to the most popular phone because of the large user base, so do hackers who want the largest base to exploit.
  • Just hope that Microsoft focus on Windows Phone security more. I don't want Windows Phone to be like iPhones and Android devices. But actually cases like this are good because IT Security will learn and patch up!
  • Microsoft built windows phone ground up with security in mind. That's why the guy couldn't get full control of the windows device. I personally wish more hackers would try to exploit windows phone so to prove how secure windows phone really is compared to IOS and android. You ever wonder why every time they release a new version of IOS less then a month later its been jail broke. But after 4 years on market no one has found a credible way to jailbreak or root a windows phone device. Just think about that for a minute
  • http://www.securityweek.com/mobile-pwn2own-2014-iphone-5s-galaxy-s5-nexu...
  • Nooooo
  • Keep reading
  • Hmmm.... Lol, let's see what happen, hacktivists be wary
  • No doubt!
  • Why doesn't Microsoft hire these guys?
  • Let them constantly try to hack to solve bugs as a career. That would be awesome.
  • They do have a bounty program.
  • "Sandbox held..." Nuff said..
  • +1
  • These challenges are great for platforms to improve security. WP is still the most secure OS though... :)
  • It's not, BB 10 is.
  • No.  http://n4bb.com/blackberry-allegedly-vulnerable-oma-dm-exploit/ There are no known ways of hacking the Windows Phone 8+ OS to date.
  • The same argument about why Mac's didn't have viruses for so long could be made -- the lack of market share makes it a low return target.
  • Macs did not use SecureBoot where the core OS has to be digitally signed to run, and multiple layers of sandboxes now exist. I'm not saying its invulnerable, I'm just saying it's much much harder to exploit today than in Mac eras.  And I expect someone to eventually find an attack vector.  They've just not yet. And yes, you are correct in that when only 100million Windows Phones exist, there's less motivation to target the OS than say an Android phone.
  • Except that ignores that at events like this, WP8 has still not been completely pwnt.
  • try again
  • Used to be until they had to setup pointless data centers in foreign countries
  • Seems faster
  • Are you okay? You think it is funny?
  • ??? Windows Central needs to auto delete these kinds of reactions!!!!!! You even haven't read the article!
  • Noooo,he read it,but he is probably boring...trying to be fun and make all community here laugh...
  • You are right about the boring part, although I suspect you meant "bored".
  • Noo i meant boring,i am BORED of this stupid reactions and answers,maybe they think they are awesome. :)
  • I find them funny, but maybe I need more sources of fun in my life.
  • No, I think you meant BORED. "he is probably bored & is attempting to make us laugh"
  • Hahaha it is funny. These used to annoy me not anymore. There are a lot more things to get annoyed about.
  • No my ftiend..this is not funny,these things should be deleted instantly...and one who post something stupid and irrelevant should be warned once,next time ban for 24 hours,after that if its repeated ban for lifetime! You will see then that "seems faster" will be mentioned no more!
  • Seems banedster
  • What I think that shouldn't be posted is all those hater comments whenever something is improved. I don't know why people these days love to complain instead of enjoy what is improved. There is no point in seeing only one side of the coin.
  • U want some cookies.? -_-"
  • Confirmed +925 Seems faster indeed
  • Seems most secure
  • The security may have prevented access to the phone itself but being able to extract the cookies could expose a users passwords to various sites if they have PC sync turned on and IE set to remember passwords. Hope this gets patched asap.
  • Saved passwords are not stored in the cookies, and I don't why you think that. The hacker COULD copy session cookies for services you already logged into. In that instance, they don't need your password. But the cookie database does not contain your passwords.
  • Passwords *should not* be stored in cookies. It doesn't mean some off website doesn't do that. However, many cookies do hold access tokens that are used to authenticate requests and to validate your identity to the service or website. It is important to remember that just because a hacker is able to obtain a token doesn't mean they'll be able to gain access to the website either... but it is a vunerability that has some risk of exposing personally identifiable data to a hacker -- depending entirely on what is stored in the cookies that are compromised.
  • Stealing cookies is definitely not great as described. Hopefully this will be quickly patched.  IE hacks are always bad because you don't need physical access to a device. There was talk recently of another exploit in XDA where OEM apps on the SD card could be exchanged and permissions maintained from the OEM app.  Not seen that mentioned on WC yet. I do wonder if this was simply a desktop IE exploit used on mobile IE that is on a much slower update rate.
  • No, the website doesn't get to dictate to the browser where a password is stored. A website never even KNOWS if a browser is storing the log-in password. Why would you say something like that? A website can't do shit to force IE, or Safari, or Chrome, or Firefox or any other browser on how to store saved password credentials. Session cookies and passwords are two completely different things and they are NOT, repeat NOT stored in the same place.
  • Most websites implement their own security/authentication model.  A very stupid web programer can set up their site to store a users password in a cookie in plain text and then auto-login the user without prompting when they return.  Is it common?  No.  Is it possible?  Yes.  Has it been done?  Yep. Usually, a site will just store your session ID and log you in automaticaly it that session is still valid.  Either way, a stolen cookie could be used to connect to many websites as a pre-authenticated user.
  • The 'remember password' syncing in IE is most certainly not storing your passwords in plain text using cookies.  It uses some variation of the credential manager used in the desktop version of Windows.
  • See my comment above.  He isn't talking about IE password syncing.  He is talking about custom methods of "keep me logged in" or "remember me" that some poorly designed websites use.
  • That's why I don't trust cookies anymore! In private browsing 4 ever. +930
  • Perhaps this is just security by obscurity....  
    Researcher Nico Joly was the only one to try to find a way to hack into Windows Phone during the event.
       
  • That was my thought too...but worrying that the one person who tried was able to be at least partially successful!
  • Not really. If you've followed Day 1 of the Pwn2Own (yesterday) you'd see that a group of hackers were able to perform a COMPLETE breakout of iOS' Safari sandbox. The sandbox stood, and it did exactly what it was supposed to do. A sandbox doesn't prevent exploits from being used, it's merely there to minimize the effectiveness of them. In this case, even though he was able to exfiltrate the cookies (which if you have session cookies stored, could be dangerous in its own right) he was completely unable to break out of the sandbox for IE.
  • Well considering there were only 7 teams, that's not surprising. Only one team targeted the iPhone too, except they were successful escaping the sandbox and the device was compromised.
  • Sandbox did its work as intended. These are good to so companies can fix issues that may not be found.
  • It probably took hackers less than a minute to hack into an Android
  • did anyone hack your language OS?
  • Lols faster
  • LOLOLOL
  • What?
  • Edited, I meant to say LESS than
  • WP is yet a better OS in terms of security.
  • What is this text about ? Didn't get anything anybody explain please..
  • A HP sponsored competition took place to see who could find an exploit (potential error or loophole in the coding that could allow a hacker to compromise the phone)... A security researcher had found a exploit in the lumia 1520 (Probs others wp's too), however the phones sandbox prevented him from accessing full control of the phone... He's now reported it to MS who will highly likely be patching the exploit and sending it to phones through update.
  • Couldn't have said it better myself...
  • Thanks ! Excellent
  • Thanks for using my tip! :)
  • Nope, they won't patch it "soon". But yup the "future"
  • Agreed. As long as carriers are involved in the update release process it will never be soon. Weird thing is, even carrier-free devices has to wait extremely long for updates, even if the OEM has cleared the update. This SW->OEM->Carrier->User process is not okey. Fine if the update REQUIRES new functionality from the OEM or Carrier, but a fix like this should ALWAYS be pushed directly from SW->User, no interruptions.
  • Now it's a good thing Windows Phone is so sandboxed :)
  • Awesome now Ms could be little alert on their is loopholes
  • This is good. Now MS can fix this known vulnerability and keep WP secure.
  • "Coming soon" patch for ie best motto ever!
  • Wonder when vwz phones will get patched 2 years from now
  • What about the sd card exploit found by xda hackers??
  • Yeah, saw that posted on WMPU http://wmpoweruser.com/stupidly-simply-hack-may-crack-open-windows-phone-8-1/
  • Hopefully Verizon knew about this 6 months ago, or we might get updated sometime next year...
  • I tipped this as well dang it! :D
  • Having a case of the look at me look at me aren't you. It's ok, my 4yr old has it too.
  • I was just having fun but thank you for your analysis.
  • The best way to keep every OS safe is to hack them.
  • No, absolutely not useful. (stupid question gets a stupid answer)
  • So.... This exploit can take over IE, and that's it? That's still pretty bad (because it can transmit tons of sensitive data), but the rest of the system is otherwise fine? Interesting, I'm glad to be using a very secure OS. However, how is this exploit used? Cookies on a malicious site, it seems?
  • Code on a malicious website would take advantage of the exploit and steel cookies from IE.  Some cookies might be useful for the attacker, but most would be completely useless.  One example of a useful cookie is a session ID for a session that is still valid on a secure website.  Adding the cookie to thier own browswer cache would allow the attacker to browse to that website and possible bypass the login.  The site would basically be continuing your previous active session except that it's not you.  Depending on the website that could be bad.  However, most highly secure websites like banks have additional checks in place.  For example, they might have the IP address that started the session stored on their end and if that didn't match up to the cookie session ID then the site would prompt for a login.  Anyway, it's not an attack that would be easily automated.  The attacker would probably need to examine a lot of stolen cookies manually until they eventually found something worth gaining access to.
  • Translation: Not a problem in any sense of the word, correct?
  • That's a horrible translation. If you have session cookies, those could be used to hijack your logged-in sessions and take over your accounts. But not al session cookies are created equal.
  • I agree it has the /potential/ to be bad, but for all practical intents and purposes: Users really shouldn't have to worry.
  • "partial exploit" is the new term for "sorta/kinda but not really"
  • Is this the first case where hackers tried to exploit the Windows Phone security model? or are there more (succesful) cases out there?
  • There's always those that claim they have exploited Windows Phone but never any proof.
  • Glad to know I have a safe platform.
  • Glad for that event. Do more of them to help secure WP!
  • Please hack into XBOX MUSIC APP... it sucks...
  • I think the ARTICLE SAID THEY... were unsuccessful.
  • But wouldn't Android be way easier due to its open source nature?
  • It has less to do with being open source and more to do with software quality.  This event is mostly targeting browsers so far.  Chrome, Safari, and Firefox have exploits that have been found as well. 
  • Says only 1 attempted to exploit Windows Phone, would be interesting to know how many actually tried exploiting Windows Phone before competition and decided against it knowing it was useless so they went after the one they knew was easy.
  • MS could use this as an indirect means to take full control of update deployment.
  • No they couldn't. How do you suppose vacuuming up the cookies in your browser would allow you to take full control of the phone? Read the fucking article next time.
  • And the secure windows phone triumphs again!
  • The question is will be on 8.1.1?
  • Windows phone has a huge exploit. I can make your phone restart uncontrollably. Although not tested it on the latest build. But it worked on 8.1 dev preview. They even banned my account for making it and putting it on the market. I only did that to send a link to joe belfoire, but sunshine else downloaded and complained and they shut my account. Assholes.
  • And this is why I think it's better to side with hackers and praise them for finding exploits in the security of the OS... If not, then they could just turn around and say a big FU and use their code for malicious purposes.  
  • I pray someone DOES find a way to root WP. That means we could finally access, customize, and tweak all kinds of stuff. ​Just because someone can hack the phone doesn't mean it's all bad!
  • The security of WP is one of the primary reasons that it is the only device used in my company.  This is great news, reaffirming my faith in the OS.