Security researchers at Google's Project Zero claimed that they have come across several malicious websites. Researchers revealed that those websites could compromise the security of a victim's iPhone. When visited, those malicious websites could manage to hack into the iPhone. The hack could be possible by exploiting previously hidden security loopholes in iOS. In their blog post, Google Project Zero team said that the company's Threat Analysis Group (TAG) found out a bunch of compromised websites. Security researchers at Google collected five iPhone exploit chains between iOS 10 and iOS 12. It was an indication that a group of hackers could be targetting select iPhone users for two years or so.
"The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day. There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week," said Ian Beer, Project Zero. "I’ll investigate what I assess to be the root causes of the vulnerabilities and discuss some insights we can gain into Apple's software development lifecycle. The root causes I highlight here are not novel and are often overlooked: we'll see cases of code which seems to have never worked, code that likely skipped QA or likely had little testing or review before being shipped to users," Beer added.
Google discovered 14 vulnerabilities across 5 exploit chains. They were further divided into groups as follows: 7 for web browser, 5 for kernel and 2 separate sandbox escapes. Google's Initial analysis indicated that at least one of the exploit chains was unpatched at the time of discovery. Google said that it reported these issues to Apple with a 7-day deadline on 1st February 2019, resulting in the out-of-band release of iOS 12.1.4 on 7 Feb 2019. Google further said that it also shared the complete details with Apple, which were disclosed publicly on 7th February 2019. For more information, you can check Google's detailed blog post.
(Story picture: AP)