Security News > 2021 > July > Don’t get tricked by this crashtastic iPhone Wi-Fi hack!
Schou set up a Wi-Fi access point with a network name of %p%s%s%s%s%n, and then deliberately connected his iPhone to it in order to check for what are known as format string vulnerabilities.
The name format string vulnerability comes from a standard, widely-used system function, found in almost every operating system, known as printf(), shorthand for format and print data.
NAME printf - format and print data int printf(const char * format, ...); int fprintf(FILE *file, const char *format, ...); int dprintf(int fd, const char *format, ...); int sprintf(char *str, const char *format, ...); int snprintf(char *str, size t size, const char *format, ...); The functions in the printf() family produce output according to a format parameter.
In the format string, a percent character acts as a placeholder for each of the values you want to print, typically followed by a letter to denote how to do the formatting.
s means print as a text string, %c says to print a single character, %d denotes print as a decimal integer, and %p means print as a formatted memory address, also known as a pointer.
As well-known researcher CodeColorist subsequently discovered by decompiling the offending code in iOS, the bug does indeed arise due to the untrusted ESSID name being mixed into the format string of a subsequent system call that relies on printf()-like functionality.