Google security researchers say they have discovered a number of malicious websites that, when visited, can easily penetrate a victim's iPhone using a set of previously undisclosed software flaws.
Project Zero said in a deep, dive blog post published late Thursday that websites were visited thousands of times a week by unsuspecting victims in what they described as a "indiscriminate" attack.
"Just visiting the hacked site was enough to use the server to attack your device, and if that was successful, install an implant monitoring," says Ian Beer, a security researcher at Project Zero.
that websites have been hacking iPhones for at least two years. "
Researchers found five different service chains, including 1
Google stated that based on their analysis, the vulnerabilities were used to steal photos and messages from the user, and to track their location in near real time. " Implant "could also gain access to the bank's saved passwords on the user's device.
Vulnerabilities affect iOS 10 to the current version of iOS 12.
Google privately disclosed the vulnerabilities in February, giving Apple just a week to fix It has shortcomings and to deploy updates to their users. This is part of the 90 days that is usually given to software developers, giving an indication of the severity of the vulnerabilities.
Apple released a fix six days later with iOS 12.1.4 for iPhone 5s and iPad Air and later.
Beer said that other hacking campaigns might be in the works right now.
The iPhone and iPad maker as a whole has a good rap on security and privacy issues. The company recently increased its maximum margin of error to $ 1 million for security researchers, who find flaws that can silently target the iPhone and gain root privileges without any user interaction. According to Apple's new rules, which will come into force later this year, Google will be entitled to several million dollars in profits.
When reached, an Apple spokesman declined comment.