Tim Cook participates in a roundtable at the TIME 100 2019 Summit on April 23, 2019 in New York.
Brian Ach | Getty Images
Google Project Zero, a group that examines and publishes security and privacy breaches found in public software, announced Thursday night that the iPhone software had huge security holes that had existed for two years. The exploits allowed the attackers to have access to photos, location information, private messages, etc.
Apple recently launched a big marketing campaign around iPhone privacy. At CES 2019, right in front of the main conference center bearing the Google Assistant logo, Apple has released an ad titled "What's happening on your iPhone stays on your iPhone". The company has also aired commercials touting the privacy features of the iPhone.
The flaws were corrected in February when Apple released iOS 12.1.4 after Google informed the company. That's why Google is now talking about these flaws in public. But Google said the attack could be used against iPhone owners who visited a "small collection of hacked websites" and could have touched "thousands of visitors a week".
According to the Project Zero Threat Analysis (TAG) group, fourteen different holdings were used by hackers to extract private information from the iPhone. "Seven for the iPhone's web browser, five for the kernel and two separate breakouts," said the group.
Google said that it was not targeted at specific people, all you had to do was visit an infected site.
A flaw allowed attackers to gain access to private messages. "The implant has access to all the database files (on the victim's phone) used by the most popular end-to-end encryption applications such as WhatsApp, Telegram and iMessage," TAG explained, noting that attackers could obtain database files with -text messages sent and received using the applications. "
The attacks could also allow hackers to access contacts, Gmail messages, photos and location information in real time, said the group, noting that hackers could also install applications.
"The implant has access to almost all of the personal information available on the device, which it can download to the attacker's server without encryption," TAG explained. "The implant binary file does not persist on the device.If the phone is rebooted, the implant will not work until the device is re-operated when the user visits again. compromised site Given the sheer scale of stolen information, attackers may still be able to maintain persistent access to various accounts and services by using the stolen authentication tokens of the keychain, even after the loss of the keychain. Access to the device. "
The flaws are corrected now, but Google said that "for this campaign we have seen, there are almost certainly others that remain to be seen".
An Apple spokesperson was not immediately available to comment.
Follow @CNBCtech on Twitter for the latest technology news.