[ad_1]
Google security researchers say they have found a number of malicious websites that, once visited, could quietly hack a victim's iPhone by exploiting a set of hitherto unknown software flaws.
Google's Project Zero said in an in-depth article published on its blog last Thursday that websites were visited thousands of times a week by unsuspecting victims, as part of what they describe as a "blind" attack.
"Simply visiting the hacked site was enough for the operating server to attack your device and, if successful, install a monitoring implant," said Ian Beer, Project Zero security researcher.
He said the websites had hacked iPhones for a "period of at least two years".
The researchers discovered five chains of exploits involving 12 distinct security vulnerabilities, seven of which involved Safari, the integrated web browser on the iPhone. The five separate attack strings allowed an attacker to gain "master" access to the device – the highest level of access and privileges on an iPhone. By doing so, an attacker could access all of the device features that are normally inaccessible to the user. This means that an attacker could discreetly install malicious apps to spy on an iPhone owner without his knowledge or consent.
According to their analysis, the vulnerabilities were used to steal the photos and messages of a user, as well as to locate their location in near real time. The implant can also access the stored password bank stored on the user's device.
The vulnerabilities affect iOS 10 to the current version of iOS 12 software.
Google privately unveiled these vulnerabilities in February, giving Apple only a week to fix defects and deploy updates to its users. This is a fraction of the 90 days generally given to software developers, which gives an indication of the severity of the vulnerabilities.
Apple released a fix six days later with iOS 12.1.4 for iPhone 5s and iPad Air and later.
According to Beer, other hacking campaigns are currently underway.
The manufacturer of iPhone and iPad in general has a good reputation in terms of security and privacy. Recently, the company has increased the maximum amount of its $ 1 million bug bonuses for security researchers who discover loopholes that can silently target an iPhone and gain root-level privileges without any interaction from them. user. According to Apple's new premium rules, which are expected to come into force later this year, Google would have been eligible for multi-million dollar bonuses.
Once reached, a spokesman for Apple declined to comment.
[ad_2]
Source link