Google Outlines iPhone Vulnerabilities That Let Malicious Websites Steal User Data for Years, Now Fixed

MacRumors

macrumors bot
Apr 12, 2001
7,183
8,361
0
19
www.macrumors.com



Google's Project Zero published a blog post this week about a previous security threat wherein malicious websites quietly hacked into the victim's iPhone. This small collection of hacked websites were used in what was described as "indiscriminate" attacks against unsuspecting visitors for years, but the threat has been addressed by Apple.


If the attacks were successful, a monitoring implant would be installed on the targeted iPhone, able to steal private data including messages, photos, and GPS location in real time. Google estimated that thousands of visitors headed to these websites per week over the course of two years, and that iOS versions ranging from iOS 10 to iOS 12 were exploited.
There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.

TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.
Project Zero discovered exploits for a total of 14 vulnerabilities in iOS, seven for Safari, five for the kernel, and two separate sandbox escapes. The team reported these findings to Apple in February, and Apple's release of iOS 12.1.4 that same month addressed the issues.

Google's deep dive into the iOS exploit can be read on the company's Project Zero blog.

Article Link: Google Outlines iPhone Vulnerabilities That Let Malicious Websites Steal User Data for Years, Now Fixed
 
  • Like
Reactions: Tsepz

avtella

macrumors regular
Nov 11, 2016
208
159
0
Same question. Read the articles, and didn’t see them listed. Maybe I missed them... I feel google has the responsibility to disclose them.
Google reported it to Apple and I suppose it’s up to Apple to disclose it. If I’m not mistaken Google generally only goes public with security flaws before hand if the affected party doesn’t fix the issue within a set time limit.
 
Last edited:

Strelok

macrumors 65816
Jun 6, 2017
1,050
1,172
0
United States
The defenders will soon be here trying to explain how Apple was not at fault and that the company is really trying to put privacy priority # 1 (ha...ha...ha).
You can have privacy as your priority and still have exploits target you. The two aren’t mutually exclusive.

I don’t get what’s up with all the smoke and mirrors here with none of the affected sites mentioned.

Edit: the details on the exploits are mentioned in the link, didn’t see them with a quick glance.
 

bigboy29

macrumors regular
May 19, 2016
145
104
0
While Google clearly has an agenda here ("Real users make risk decisions based on the public perception of the security of these devices.") - it is a good thing that stuff gets disclosed (and then fixed).
 

Mick-Mac

macrumors regular
Oct 24, 2011
161
251
0
I actually like that vulnerabilities are made aware to Apple for them to fix. and that they are provided with an incentive to fix them in a timely manner - or else...
 
  • Like
Reactions: centauratlas

Daveoc64

macrumors 601
Jan 16, 2008
4,057
49
0
Bristol, UK
You can have privacy as your priority and still have exploits target you. The two aren’t mutually exclusive.

I don’t get what’s up with all the smoke and mirrors here, none of the sites mentioned and it doesn’t seem to mention how the exploit actually worked.
The Project Zero blog post links to further posts which explain the exploit in excruciating detail.
 

TechFounder

macrumors member
Aug 20, 2015
31
60
0
Bad idea to disclose because some people don’t install the latest firmware and are still vulnerable.
 

TheShadowKnows!

macrumors 6502a
Sep 30, 2014
799
1,560
0
National Capital Region
Kudos to Google's Project Zero in spades.
GOTO: https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html

"... we examined how the attackers gained unsandboxed code execution as root on iPhones. At the end of each chain we saw the attackers calling posix_spawn, passing the path to their implant binary which they dropped in /tmp. This starts the implant running in the background as root. There is no visual indicator on the device that the implant is running. There's no way for a user on iOS to view a process listing, so the implant binary makes no attempt to hide its execution from the system.

The implant is primarily focused on stealing files and uploading live location data. The implant requests commands from a command and control server every 60 seconds.

Before diving into the code let's take a look at some sample data from a test phone running the implant and communicating with a custom command and control server I developed. To be clear, I created this test specifically for the purposes of demonstrating what the implant enabled the attacker to do and the screenshots are from my device. The device here is an iPhone 8 running iOS 12.

The implant has access to all the database files (on the victim’s phone) used by popular end-to-end encryption apps like Whatsapp, Telegram and iMessage. We can see here screenshots of the apps on the left, and on the right the contents of the database files stolen by the implant which contain the unencrypted, plain-text of the messages sent and received using the apps..."
 

PlayUltimate

macrumors regular
Jul 29, 2016
239
272
0
Boulder, CO
not defending: seems that they were not very popular sites if only 1000's visited per week. And I suspect the attack required "permission" from the visitor since every attack was not successful. Not sure how big the issue truly is considering the iPhone installed user base.
 

ninjadex

macrumors 6502
Jun 1, 2004
322
195
0
So Apple has known about this, but they decided to move forward anyway and double down on “Privacy” as a key marketing point?
 
  • Like
Reactions: Lalatoon

TMRJIJ

macrumors 68040
Dec 12, 2011
3,187
5,134
0
South Carolina, United States
IsiahJohnson.com
The defenders will soon be here trying to explain how Apple was not at fault and that the company is really trying to put privacy priority # 1 (ha...ha...ha).
...
The team reported these findings to Apple in February, and Apple's release of iOS 12.1.4 that same month addressed the issues.
 

allpar

macrumors 6502
May 20, 2002
299
34
0
dave.zatz.us
So Apple has known about this, but they decided to move forward anyway and double down on “Privacy” as a key marketing point?
Privacy is still a marketing point. Do you think there are no parallel vulnerabilities in Android? And with Android, Google gets your info regardless of exploits...
 
  • Like
Reactions: ssspinball

allpar

macrumors 6502
May 20, 2002
299
34
0
dave.zatz.us
Having just read the full article... well, having read through parts of the full article... I have to say that users really should be notified if they were affected, because they need to change a LOT of their passwords. So is Apple notifying users, or just letting them stay in blissful ignorance?
 
  • Like
Reactions: east85 and smileman