iMessage, Apple’s instant messaging system was found to have an out-of-bounds issue being tracked as CVE-2019-8646. Apple claims to have patched the bug in iOS 12.4, but it seems as if a security researcher has proved this to claim to be untrue. Based on the researcher’s efforts, he claims the flaw resides in the application and is named “_NSDataFileBackedFuture.” If all steps are done correctly, an unauthorized party could have access to read files on the iPhone. Furthermore, the researcher states, “The class _NSDataFileBackedFuture can be deserialized even if the secure encoding is enabled. This class is a file-backed NSData object that loads a local file into memory when the [NSData bytes] selector is called.” This issue affects all iPhones model 5S and later, along with the iPad Air and 6th generation iPod Touch running on iOS 12 or later. A proof-of-concept was developed, and it recreated the issue.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is