
In September 2023, Apple issued an emergency security update for iPhones and iPads to patch two vulnerabilities that had been exploited in the wild. Experts at Citizen Lab later determined that these flaws were part of a sophisticated new attack orchestrated by the NSO Group.
The breach required no user interaction — a malicious message delivered via iMessage was enough to compromise the device. The target was a staff member of a U.S.-based human rights organization. Remarkably, the attack succeeded even on the latest version of iOS available at the time — version 16.6.
At the heart of the exploit was a PKPass file, typically used for tickets and digital passes. Within this file was an image disguised as a standard .png, which in reality was a WebP file. This subtle deception enabled the attackers to bypass system defenses — a tactic not unfamiliar to NSO, which in 2021 employed a similar technique by hiding dangerous content behind seemingly harmless images.
The vulnerability in the WebP format allowed for an out-of-bounds write during image decompression, caused by flawed handling of Huffman tables — structures used for compression. While the bug did not permit arbitrary memory writes, it did allow writing to a specific memory location with limited values. To leverage this, attackers first had to prepare the device’s memory in a very deliberate way.
This was achieved using a second file embedded within the PKPass: an image named background.png, which was in fact a TIFF file. It contained a carefully crafted CFArray object, designed to overlap a critical memory region. Following this, a massive 1-megabyte bplist (binary property list) was deployed to meticulously sculpt memory layout in preparation for exploitation.
Among the contents of this bplist was a counterfeit CFReadStream object. When the system deallocated this object, it triggered a specific function call — at which point the malicious code execution began. Notably, the attackers did not have to bypass Pointer Authentication Codes (PAC), a security measure designed to prevent exactly this kind of exploitation. Instead, they took advantage of an unprotected pointer within a function structure, redirecting it to a legitimate function already present in memory.
To defeat Address Space Layout Randomization (ASLR), which conceals the actual memory addresses, the attackers appeared to have prior knowledge of the necessary offsets — likely obtained via a separate vulnerability, potentially in the HomeKit framework, used as a precursor to the main exploit.
The final stage involved executing an NSExpression, a specialized Apple framework for evaluating code-like expressions. The payload was encrypted and awaited a second message from the attacker, which supplied the decryption key. Only then was the final malicious code executed — likely to escape the constraints of Apple’s BlastDoor sandbox and gain full device control.
This attack chain, while extraordinarily intricate and multilayered, relied on well-documented exploitation principles: file masquerading, precise memory grooming, and function pointer manipulation. Experts have urged Apple to tighten restrictions on bplist structures — forbidding duplicate keys or excessively large objects — and to abandon trust in file extensions, which have now twice been the linchpin in successful zero-click attacks.