Google security researchers said that they have detected several malicious websites which when visited would hack into the iPhone of the visitor without any alert. This is possible by the exploitation of a number of security flaws in the software which were previously not disclosed.
Google’s Project Zero said that these harmful websites were visited several thousands of times per week by visitors who had no idea of what was going on. Ian Beer, Project Zero’s security researcher said that for the device to be exploited it was enough to visit the malicious website which would then install a monitoring implant if it was successful. The hacking of the iPhones continued for a minimum period of two years.
Five unique exploit chains were detected that involved a total of twelve separate security flaws. Seven of these flaws involved Safari which is the default browser on iPhones. An attacker managed to get root access( the highest access level) to the iPhone with the help of the other five exploit chains. As a result, all the features could be accessed by the attackers including those which were not accessed even by the users. This helped them in installing applications or other malware in their devices with no knowledge of the users.
According to an analysis of Google, the personal photos, messages of the users along with their live location could be stolen due to these vulnerabilities. It would also provide access to the saved passwords in the devices. iOS versions 10 to 12 were affected by these vulnerabilities.
They were privately disclosed by Google to Apple in the month of February where it was provided only a week for fixing the flaws and roll out the updates to the users. Since the security flaws were of such a severe nature, very less time period was provided to the developers. After six days, Apple rolled out security patches for iOS 12.1.4 for iPhone 5s, iPad Air and other later models.
Beer said that it might be possible there are other hacking campaigns which are currently operating. Apple has a good reputation in handling security-related issues. It also increased the bug bounty payment to a maximum of a million dollars if security researchers can detect the flaws which allow the intruders to get root-level access to the device without any interaction from the user side. Under Apple’s new bounty rules — set to go into effect later this year — Google would’ve been eligible for several million dollars in bounties.