Pangu team creates Reddit account, tweets public statement on recent hack claims

A couple of days ago Pangu team was subjected to trust issues after a thread made it to Reddit claiming that some users had unauthorized charges from Beijing on their PayPal account after jailbreaking, others had their Facebook account show login attempts from various Asian countries, but mostly from China.

What exactly happened ?

Over the weekend, a disgruntled jailbreaker took to Reddit claiming that he had jailbroken one of his devices with the Pangu jailbreak tool for iOS 9.3.3 with a burner Apple ID. After an hour or so later, he claimed he had noticed charges on his PayPal account originating from Beijing with an unknown email address.

The same person also claimed he wasn’t using any piracy stores or repositories, and the Beijing origin certainly seemed incriminating for 25PP, considering that the 25PP jailbreak originally came with a Beijing enterprise developer certificate. Within the following minutes and hours, other users also chimed in, noting they had some of their online accounts hacked as well.

The post got tons and tons of up-votes, as one of peoples’ main concerns from Chinese jailbreaks are their security and legitimacy. After all, when you can’t read what a jailbreak tool is saying, you never really know what you’re agreeing to or clicking on. The post effectively fed off of everyone’s worst fears and quickly made to the top the /r/jailbreak sub-reddit.

Saurik later hopped onto the same thread to chime in. He had noted that he’s not particularly excited about the way the PP jailbreak tool handles stuff. Nevertheless, he created Cydia Impactor as a safe way to jailbreak your devices because it sends your Apple ID directly to Apple and no one else.
I don’t particularly like the concept of installing the 25PP tool (edit: this sentence used to say “trust”, but I think that was confusing), as Chinese companies tend to have software that is pretty intrusive and even “combative” against competitor’s software, and in general I am concerned about the way people do signature stuff (as it is just so much easier to do the signing on a server…) which is why I worked so hard to make Impactor be able to do all the signing and communication locally. That said, 25PP’s profit model would probably benefit from local signature work, so I can see them having the existing expertise and taking the time to do that “correctly”.
Despite what seems like a gloomy conversation, Saurik comes back saying that he trusts the Pangu jailbreak team, despite the mystery surrounding the joint 25PP/Pangu jailbreak app and the Chinese Windows tool.
I will also say I trust Pangu a lot… but I don’t know if the Chinese version of their app was only touched by them. I bet the English one was their work only, though you are downloading it from 25PP, which opens some issues: do you trust the employees at 25PP with control over their servers? I would say that it would be dumb to do quickly be trying to attack people rather than racking up more credentials before anyone becomes suspicious. You have to remember that there are millions of people who jailbreak. And Pangu specifically listed this subreddit on their website as a place to talk to people about their issues, so we are going to be seeing tons of people. Do we really have evidence that this is an issue with the jailbreak process as opposed to a string of random attacks that are being noticed here because we are all being extremely suspicious this week?
If anything, I bet there was just some website, maybe it was even one we all use more often than other people (like reddit! ;P) which was hacked in some way, and people were sharing passwords between there and PayPal, and that hack just happens to have happened at about the same time the jailbreak came out.
Here's Pangu team tweets on Twitter:

Every jailbreak is a trade-off between security and customization. But that’s not to say that the jailbreak was the cause for all these hacks. There isn’t enough evidence to blame the jailbreak for these people’s compromises, which may have in turn been caused by their own gross negligence.


blog comments powered by Disqus
Octofinder Blog Catalog