Apple iPhones were home to an iOS exploit that would allow malicious websites to steal user data from an iPhone user without their knowledge. The attacks were possible through a series of hacked websites which randomly distributed malware to iPhones for years before Apple addressed the exploit.
The news comes through a blog post by Google Project Zero’s Ian Beer who said that the team discovered a “small collection of hacked websites” which were being used for “indiscriminate watering hole attacks” against users who visited these websites.
Beer explained, “simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant”. Google’s Threat Analysis Group (TAG) was able to estimate that the sites received thousands of visitors every week.
TAG also disclosed that there were at least five iPhone exploit chains which covered almost all versions of iOS from iOS 10 to the latest version of iOS 12. This meant that attackers had the means to hack the user data on iPhones for at least two years. The five distinct exploit chains resulted in 12 isolated security flaws, 7 of which affected Safari which is an in-built web browser on iPhones.
Google’s team said that it reported these issues to Apple on February 1, 2019, and within six days, Apple fixed the exploit by rolling out iOS 12.1.4 to iPhone and iPad users.