An unnamed team of hackers has apparently received a million-dollar payout for disclosing a trio of iOS 9.x and Google Chrome security bugs to private zero-day buyer Zerodium.
However, only people willing to pay Zerodium a subscription will get to see how the remote browser-based untethered jailbreak works: the company won't disclose it in public, but may later tell Cupertino.
Untethered jailbreaks allow users – or attackers – to break Apple's iOS security model gaining root access to devices that persists across reboots.
The remote browser-based jailbreak exploit vuln supposedly works on the new iPhone 6 and iPhone 5 lines, iPad Air 2 and Air, iPad 4 and 3, and the iPad mini 4 and iPad mini 2.
"No software other than iOS really deserves such a high bug bounty," founder Chaouki Bekrar told Vulture South.
"Our bounty required much more work than a classic jailbreak as it had to be remote and browser-based, so this required two to three additional zero-days compared to a public jailbreak.
"The exploit chain includes a number of vulnerabilities affecting both Google Chrome browser and iOS, and bypassing almost all mitigations in place."
The jailbreak was reported under a September challenge that sought an exploit which would work through SMS or either Apple's Safari or Google's Chrome.
Bekrar says two teams hacked away under a Zerodium iOS bounty, but only one gained the remote and "full browser-based" untethered jailbreak of iOS 9.1 and 9.2 beta.
The winners submitted the polished zero day-laden jailbreak a few hours before the competition closed.
The other crew reported a partial jailbreak and could gain a partial reward, Bekrar says. Zerodium is working to test and document the vulnerabilities.
"We will first report the vulnerabilities to our customers, and we may later report them to Apple," Bekrar says.
The firm will now prime other hacking challenges in the "near future" which will sport an average six figure payout.
Such subscription vulnerability firms are controversial because their exploits are sold to among other customers, or governments who would feasibly use the bugs for surveillance.
Bekrar was previously head of vulnerability discovery and broker firm Vupen which similarly sold exploits to US-friendly corporations and governments under a subscription model.
Many researchers disclose private bugs to brokers and firms for cash. That practice stands in contrast to the community jailbreaking efforts in which exploits are publicly reported without financial reward.
Those efforts by groups such as Pangu Team focus on areas of iOS that are less-valuable to attackers. The group tells El Reg it avoids targeting Apple's Safari since that could be valuable to attackers.
They acknowledge the team of seven could make money by disclosing the flaws to firms such as Zerodium but prefer public jailbreaks as offer greater device control to users and security researchers. ®