Security researchers working in the Project Zero team at Google say they have discovered a number of hacked websites that previously used undisclosed security errors attack an iPhone that has visited them without distinction. motherboard reports that the attack could be one of the largest ever against iPhone users. If a user visits one of the malicious websites with a vulnerable device, his personal files, messages and real-time location data may be compromised. After reporting their findings to Apple, the iPhone manufacturer repaired the vulnerabilities earlier this year.
motherboard notes that the attack might have allowed the sites to install an implant with access to the keychain of an iPhone. This would have given the attackers access to all log-in data or certificates contained therein, and could also give them access to the databases of apparently secure messaging apps such as WhatsApp and iMessage. Although these apps use end-to-end encryption for message transfer, an attacker would gain access to previously encoded plain text messages if an end device was affected by this attack.
The attack is remarkable because of how random it is. motherboard notes that other attacks are usually more targeted, with individual links being sent to targets. In this case, simply visiting a malicious site can be enough to be attacked and install an implant on a device. The researchers estimate that the affected sites were visited by thousands of visitors every week.
The implant installed by the malicious sites is deleted when a user restarts his phone. However, the researchers say that because the attack jeopardizes the keychain of a device, the attackers can gain access to all authentication tokens that it contains, and these can be used to access accounts and services long after the implant of a compromised device has disappeared.
In total, the researchers say they have discovered 14 vulnerabilities in five different exploit chains, including one that had not been corrected when the researchers discovered it. iOS versions 10 to 12 were all affected by the vulnerabilities, which the researchers said the attackers were trying to hack users for at least two years.
The team says they contacted Apple in February to report the vulnerability and gave the company only seven days to fix it. TechCrunch notes that this is a much shorter deadline than the typical 90-day window usually given by researchers, and probably indicates how serious the vulnerabilities are. Apple has fixed the vulnerabilities with iOS 12.1.4, the same update that fixed a major FaceTime security issue.
Although the vulnerabilities have now been repaired, the researchers note that there are likely to be more that they still have to discover. "For this one campaign we've seen, there are almost certainly others to be seen," they write. You can find the full details of the exploits in the blog post of the researcher.