Google Outlines iPhone Vulnerabilities That Let Malicious Websites Steal User Data for Years, Now Fixed

[MacRumors]

Google's Project Zero published a blog post this week about a previous security threat wherein malicious websites quietly hacked into the victim's iPhone. This small collection of hacked websites were used in what was described as "indiscriminate" attacks against unsuspecting visitors for years, but the threat has been addressed by Apple.

If the attacks were successful, a monitoring implant would be installed on the targeted iPhone, able to steal private data including messages, photos, and GPS location in real time. Google estimated that thousands of visitors headed to these websites per week over the course of two years, and that iOS versions ranging from iOS 10 to iOS 12 were exploited.

There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.

TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.

Project Zero discovered exploits for a total of 14 vulnerabilities in iOS, seven for Safari, five for the kernel, and two separate sandbox escapes. The team reported these findings to Apple in February, and Apple's release of iOS 12.1.4 that same month addressed the issues.

Google's deep dive into the iOS exploit can be read on the company's Project Zero blog.

Article Link: Google Outlines iPhone Vulnerabilities That Let Malicious Websites Steal User Data for Years, Now Fixed

 

[noSpeed]

So what were the malicious sites?

 

[Airforcekid]

I'm assuming installing the latest update would also remove the exploit if its installed? Would love to see a list of affected websites but if they were somehow attached to ads this could be very bad.

 

[Expos of 1969]

The defenders will soon be here trying to explain how Apple was not at fault and that the company is really trying to put privacy priority # 1 (ha...ha...ha).

 

[DCIFRTHS]

So what were the malicious sites?

Same question. Read the articles, and didn’t see them listed. Maybe I missed them... I feel google has the responsibility to disclose them.

 

[M.PaulCezanne]

So what were the malicious sites?

Yeah, why no links?

 

[avtella]

Same question. Read the articles, and didn’t see them listed. Maybe I missed them... I feel google has the responsibility to disclose them.

Google reported it to Apple and I suppose it’s up to Apple to disclose it. If I’m not mistaken Google generally only goes public with security flaws before hand if the affected party doesn’t fix the issue within a set time limit.

 

[mdatwood]

Sounds like working as intended. Bugs found, reported and fixed in the same month.

 

[Strelok]

The defenders will soon be here trying to explain how Apple was not at fault and that the company is really trying to put privacy priority # 1 (ha...ha...ha).

You can have privacy as your priority and still have exploits target you. The two aren’t mutually exclusive.

I don’t get what’s up with all the smoke and mirrors here with none of the affected sites mentioned.

Edit: the details on the exploits are mentioned in the link, didn’t see them with a quick glance.

 

[bigboy29]

While Google clearly has an agenda here ("Real users make risk decisions based on the public perception of the security of these devices.") - it is a good thing that stuff gets disclosed (and then fixed).

 

[Mick-Mac]

I actually like that vulnerabilities are made aware to Apple for them to fix. and that they are provided with an incentive to fix them in a timely manner - or else...

 

[Daveoc64]

You can have privacy as your priority and still have exploits target you. The two aren’t mutually exclusive.

I don’t get what’s up with all the smoke and mirrors here, none of the sites mentioned and it doesn’t seem to mention how the exploit actually worked.

The Project Zero blog post links to further posts which explain the exploit in excruciating detail.

 

[TechFounder]

Bad idea to disclose because some people don’t install the latest firmware and are still vulnerable.

 

[TheShadowKnows!]

Kudos to Google's Project Zero in spades.
GOTO: https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html

"... we examined how the attackers gained unsandboxed code execution as root on iPhones. At the end of each chain we saw the attackers calling posix_spawn, passing the path to their implant binary which they dropped in /tmp. This starts the implant running in the background as root. There is no visual indicator on the device that the implant is running. There's no way for a user on iOS to view a process listing, so the implant binary makes no attempt to hide its execution from the system.

The implant is primarily focused on stealing files and uploading live location data. The implant requests commands from a command and control server every 60 seconds.

Before diving into the code let's take a look at some sample data from a test phone running the implant and communicating with a custom command and control server I developed. To be clear, I created this test specifically for the purposes of demonstrating what the implant enabled the attacker to do and the screenshots are from my device. The device here is an iPhone 8 running iOS 12.

The implant has access to all the database files (on the victim’s phone) used by popular end-to-end encryption apps like Whatsapp, Telegram and iMessage. We can see here screenshots of the apps on the left, and on the right the contents of the database files stolen by the implant which contain the unencrypted, plain-text of the messages sent and received using the apps..."

 

[macfacts]

This is why regular updates matter on iOS. They need them.

 

[PlayUltimate]

not defending: seems that they were not very popular sites if only 1000's visited per week. And I suspect the attack required "permission" from the visitor since every attack was not successful. Not sure how big the issue truly is considering the iPhone installed user base.

 

[Strelok]

The Project Zero blog post links to further posts which explain the exploit in excruciating detail.

Yup, just saw it.

 

[ninjadex]

So Apple has known about this, but they decided to move forward anyway and double down on “Privacy” as a key marketing point?

 

[TMRJIJ]

The defenders will soon be here trying to explain how Apple was not at fault and that the company is really trying to put privacy priority # 1 (ha...ha...ha).

...

The team reported these findings to Apple in February, and Apple's release of iOS 12.1.4 that same month addressed the issues.

 

[JosephAW]

What they don't tell you is the vulnerability only affected apps made by a company named Alphabet Inc.

The sites that infected iPhones were web sites that the majority of iPhone users never visit. IE: pr0n sites.

 

[FFR]

Yeah, why no links?

What if it was a google owned site?

 

[allpar]

So Apple has known about this, but they decided to move forward anyway and double down on “Privacy” as a key marketing point?

Privacy is still a marketing point. Do you think there are no parallel vulnerabilities in Android? And with Android, Google gets your info regardless of exploits...

 

[TMRJIJ]

Bad idea to disclose because some people don’t install the latest firmware and are still vulnerable.

If Google's team didn't disclose these exploits, would those people have any incentive to install the latest firmware?

 

[allpar]

Having just read the full article... well, having read through parts of the full article... I have to say that users really should be notified if they were affected, because they need to change a LOT of their passwords. So is Apple notifying users, or just letting them stay in blissful ignorance?

 

[ChrisNH]

Google is trying to be a Crook and a Policeman simultaneously.

OK.