[ad_1]
Security researchers working on Google's Project Zero team claim to have discovered a number of hacked websites that used unknown security holes to attack any visited iPhone without discrimination. Motherboard reports that the attack could be one of the largest ever conducted against iPhone users. If a user visits one of the malicious websites with the help of a vulnerable device, his personal files, messages, and real-time location data could be compromised. After reporting their findings to Apple, the iPhone maker has corrected the vulnerabilities earlier this year.
Motherboard note that the attack could have allowed sites to install an implant with access to the keychain of an iPhone. Attackers would have access to the credentials or certificates they contain, but could also allow them to access seemingly secure email application databases such as WhatsApp and iMessage. . Despite these applications using end-to-end encryption for message transfer, if an end device was compromised by this attack, an attacker could then access previously encrypted messages in plain text.
The attack is remarkable because of its blindness. Motherboard note that other attacks are usually more targeted, with individual links being sent to targets. In this case, the mere fact of visiting a malicious site could be enough to be attacked and to install an implant on a device. The researchers estimate that the compromised sites have been visited by thousands of visitors each week.
The implant installed by the malicious sites would be removed if a user restarted his phone. However, the researchers say that since the attack compromises the keychain of a device, attackers could access the authentication tokens it contains and use them to retain access to accounts and services long after the disappearance of the device. implant of a compromised device.
In total, the researchers say they discovered 14 vulnerabilities on five different farm chains, including one uncorrected at the time they discovered it. The vulnerabilities were affected by the vulnerabilities of iOS 10 to 12, which, according to the researchers, indicates that the attackers attempted to hack users for at least two years.
The team said it contacted Apple to report the vulnerability in February, and give it only seven days to fix it. TechCrunch notes that it is a much shorter delay than the typical 90-day delay generally granted by researchers and that it probably reflects the severity of the vulnerabilities. Apple fixed the vulnerabilities with iOS 12.1.4, the same update that corrected a major security flaw of FaceTime.
Although the vulnerabilities were corrected, the researchers noted that there would probably be more to discover. "For this campaign we have seen, there are almost certainly others that remain to be seen," they write. You can find all the details about the exploits in the researcher's blog.
[ad_2]
Source link