The iPhone's code signing mechanism requires code loaded into memory to carry a valid digital signature before it can be executed. To get around it, the researchers used a technique known as return-oriented programming, which takes pieces of valid code and rearranges them to form the malicious payload.
As a result, the hackers were able to create a website that when visited by the Apple smartphone forced it to spill a copy of its SMS database. The file includes a list of contacts as well as complete copies of messages that have been sent and received.
As the hacking contest shows us every year, web facing applications are continuing to be a challenge. Amazing to me that just visiting a website can cause that kind of a data spill!
I recently acquired my first virus in ten years by visiting a maliciously hacked site with a PC version of Opera AND up-to-date anti-virus software. No doubt about it, web facing applications have a tough life.