Apple’s reputation is better than most when it comes to the privacy and security its devices offer, but that reputation took a hit last week when Google revealed how visiting a website was sufficient to hack an iPhone.
Earlier this year, Google’s security analyst team, Project Zero, along with the Threat Analysis Group (TAG), found a group of compromised websites capable of hacking iPhones. The only thing an iPhone user had to do was visit one of the sites for an attack to be attempted. If the attack was successful, the website would place a monitoring implant on the device.
RELATED STORY:
The monitoring implant concentrates on seizing files and observing live location data. It steals data from messaging apps including iMessage, Whatsapp, Hangouts, and Telegram, as well as copying Gmail data, all contacts and photos stored on the device. According to PC Magazine:
Such an attack relies on zero-day exploits, which means there’s no protection against them on the targeted device(s). Further investigation by Project Zero revealed the websites were taking advantage of 14 different vulnerabilities used across five exploit chains. Seven of the vulnerabilities were in the Safari browser, five were for the iPhone’s kernel, and two were sandbox escapes. Anyone running iOS 10 through iOS 12 on their iPhone or iPad was vulnerable to these attacks.1
RELATED STORY:
Due to the severity of the security breaches, Google reported them to Apple with a seven-day deadline to issue a fix rather than the 90-day period it usually offers. Google sent the report on on February 1 2019. On February 7, 2019, Apple released an iOS security update which closed the security holes.
Nonetheless, Google points out that even though this threat is no longer an issue, “there are almost certainly others that are yet to be seen.”1
RELATED STORY:
Apple recently raised its maximum bug bounty payout to $1 million for security researchers who find loopholes that can secretly target an iPhone and obtain root-level privileges with no user interaction. Under Apple’s new bounty rules, which are set to go into effect later this year, Google would’ve been eligible for several million dollars in bounties.