Comment by bogwog - Hacker Neue

bogwog Jun 27, 2022 parent

IIRC, every video game console that ships with webkit has been jailbroken due to vulnerabilities in webkit. Off the top of my head at least, I know the following have been exploited that way:

* PS4

* PS Vita

* 3DS/New 3DS

* Wii U

* Wii

Also maybe PS3/PSP and likely also PS5 will get the webkit exploit treatment at some point.

judge2020 Jun 27, 2022

iOS as well - JailbreakMe[0] and TotallyNotSpyware[1] use a WebKit exploit to get out of the sandbox to then trigger other exploits that allow full system compromise/control.

Note that, while earlier JailbreakMe exploits were patchable if you installed a patch[2], the readme in the TotallyNotSpyware repo explains that, in general, there's not a patch for the exploit post-jailbreak, so you could still be pwned by a third-party website should they deliver this exploit with a spyware payload.

0: https://en.wikipedia.org/wiki/JailbreakMe

1: https://github.com/JakeBlair420/totally-not-spyware

2: https://www.idownloadblog.com/2011/07/06/pdf-patcher-2/ (use an ad-blocker, this website is super ad-infested)

mccr8 Jun 27, 2022

Are the versions of WebKit that ship on those consoles patched regularly and kept up to date? Probably not, so I don't think it is too relevant to how secure Safari is. There have been plenty of zero days for Chrome, but that doesn't mean it is somehow the least secure browser.

adrr Jun 27, 2022

If you can break out the app sandbox on IOS, that is a flaw with IOS. These flaws could be exploited with any app that is using file parsing like the adobe photoshop app.

The jailbreakme app wasn’t exploit on WebKit. It was iOS native pdf rendering Library. WebKit was used to deliver the exploit.

babypuncher Jun 27, 2022

That is not a fair comparison. An entire browser engine has way more surface area for attack than a JPEG decoder.

adrr Jun 27, 2022

It was just an example. What about a pdf editor/viewer like acrobat?

babypuncher Jun 27, 2022

Still far less attack surface area than a browser engine.

Browsers can download and execute arbitrary code in the form of JavaScript or WASM. Your options for poking at the sandbox are far more plentiful when it is parsing and executing turing-complete instructions rather than a markup languages or other static data.

Retr0id Jun 27, 2022

A couple of things to note here.

Firstly, this is not a webkit-specific problem - It's just that webkit is the most commonly embedded browser engine.

I have personally jailbroken my LG smart TV using a V8 n-day exploit (details not public, yet).

For any modern browser engine that is left unpatched, it is only a matter of time before it can be exploited using publicly-available techniques - and console manufacturers know this. Which leads me to my second point:

Console manufactuers assume that the browser will be compromised, and sandbox it appropriately. It is not a meaningful security boundary, by design. Exploiting the browser on a console, on its own, doesn't get get you very far. You'll need to chain it with additional exploits (a sandbox escape, a kernel exploit, etc.) to do something useful.

smoldesu Jun 27, 2022

So... theoretically there is no security disadvantage to using Blink as your render engine instead of Webkit, as long as they're running the in the same sandbox? If that's really the case, then it's even more bizarre that Apple stands by their security statement.

Retr0id Jun 27, 2022

The console threat model is far too different to the mobile device threat model for any direct comparison.

Console users will deliberately withhold security updates, so that they can later hack their devices. Console security updates protect the vendor from their users.

Mobile users (who care) will always be on the latest updates. Fresh browser exploits are exponentially more expensive, generally speaking.

Allowing users to use different browser engines doesn't necessarily widen the remote attack surface, it just changes it. But yes, ultimately I think Apple cares more about losing their walled garden, than they do about security.

alickz Jun 28, 2022

>I have personally jailbroken my LG smart TV using a V8 n-day exploit (details not public, yet).

What have you done with your jailbroken TV?

I was considering jailbreaking my LG Smart TV too as I _hate_ the Home screen with a passion and was hoping to replace it. But I use the Game Mode all the time, so I was hesitant to jailbreak in case that interfered.

I'm just curious why you've jailbroken yours and whether or not I should.

irae Jun 28, 2022

There is not much surface area of attack outside of the browser and the incentive of pirated games is huge. Especially outside the US and EU where people barely have money for the consoles, so game piracy is the norm (Russia, Brazil, other developing countries).

Yes, webkit is somewhat to blame, but I bet, as we can see the number of exploits in the graphs from the original post, that any outdated Chromium version would end up with the same fate.

This item has no comments currently.

Preferences

Keyboard Shortcuts

Story Lists

Navigation

Miscellaneous