Why are we not being told the websites so that we know if we could have been affected and so that we can block the websites?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Google Outlines iPhone Vulnerabilities That Let Malicious Websites Steal User Data for Years, Now Fixed
- Thread starter MacRumors
- Start date
- Sort by reaction score
Stick that on a billboard
Google's Project Zero published a blog post this week about a previous security threat wherein malicious websites quietly hacked into the victim's iPhone. This small collection of hacked websites were used in what was described as "indiscriminate" attacks against unsuspecting visitors for years, but the threat has been addressed by Apple.
If the attacks were successful, a monitoring implant would be installed on the targeted iPhone, able to steal private data including messages, photos, and GPS location in real time. Google estimated that thousands of visitors headed to these websites per week over the course of two years, and that iOS versions ranging from iOS 10 to iOS 12 were exploited.
Project Zero discovered exploits for a total of 14 vulnerabilities in iOS, seven for Safari, five for the kernel, and two separate sandbox escapes. The team reported these findings to Apple in February, and Apple's release of iOS 12.1.4 that same month addressed the issues.
Google's deep dive into the iOS exploit can be read on the company's Project Zero blog.
Article Link: Google Outlines iPhone Vulnerabilities That Let Malicious Websites Steal User Data for Years, Now Fixed
This.
Going to quote it simply to counter the inevitable posts saying Apple somehow screwed up....blah....blah....blah.
First off, Apple didn't ignore this exploit for years. They simply didn't know about it. The only reason it went unnoticed for so long is because it wasn't widespread. Once an exploit becomes common it's usually discovered quickly. This is why zero-days are so valuable and often sold to governments or others who can afford to pay a couple million for an exploit. It's also why those same people only use the exploits on targets they consider valuable, because once it's out there it will be discovered and fixed.
Secondly, Apple dealt with it immediately. Google notified Apple on Feb 1st and Apple released a patch on Feb 7th. This is a perfect example of Apple having superior security to Android. Exploits will always exist. Being able to quickly roll out a fix for an exploit is one of the most important methods in dealing with them. Something Android is absolutely horrible at.
Sure. Along with the time Google discovered a security flaw in Safari and instead of notifying Apple so they could fix it they wrote malware to exploit it so they could keep tracking users.
So the moral of the story is: If Google can somehow embarrass Apple over an exploit they'll release information to the public. If they can use the exploit to their own advantage, they'll keep quiet about it.
Yes, thank God for Google and PZ. It's too bad that iOS was basically insecure for 2 years though.
It depends on the company honestly. They've been caught a few times with sending out info about an exploit very quickly after letting the company know. Most of the time its done to make Google look better.
Serious question: If Apple values privacy so highly why do they not have a division like Googles Project Zero doing this kind of work? If they do have such a division, what has it exposed over the years?
I used to have an app that showed all background processes but Apple pulled the API on newer iOS version. Now we have no clue what's running. Time for background process settings to show all processes running and real world explanation of them not just some obscure file name.
It says hacked websites. If you have inadvertently clicked a link on some clickbait site or in a phishing email, you could have landed on one of those. There would be no way to have a comprehensive list of such sites.
(I’m not a security expert, just my interpretation of the article.)
What's your point? Are you saying that you can't have Privacy as your goal if your code has bugs? How utterly stu....
There is already a thread about it.
https://forums.macrumors.com/thread...-steal-user-data-for-years-now-fixed.2195735/
https://forums.macrumors.com/thread...-steal-user-data-for-years-now-fixed.2195735/
Logical fallacy. I could also ask you:
If Google values security so highly, why don’t they update all Android devices at the same time?
All software has bugs and security problems. How a vendor handles them when found is important. The recent change where Apple will give rooted, developer iOS devices to security researches should help them find even more of these types of issues.
Are you serious?
Cause of the vulnerability were, as the researcher pointed out
„cases of code which seems to have never worked, code that likely skipped QA or likely had little testing or review before being shipped to users“
https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html
So Apple has a lot of homework to do.
Do you really believe that most iPhone users don’t visit porn sites?
You can always count on one of these posts. Every time! No real contribution, just wanting to be first about what someone else will say.
Here's my contribution: I appreciate any company that can find these vulnerabilities and share them with Apple. I regularly update my phone in hopes of avoiding these types of exploits. Just need Apple and the likes to keep doing their part.
How about the fact that the patch supports all iOS devices going back to 2013? Good luck finding that kind of software support on Android.
Apple does value privacy, google not so much.
https://gizmodo.com/google-wants-it-both-ways-1837614774
Google values ad revenue over privacy, everyone knows that.
Wow, dealing with you is certainly frustrating. Your response to questions is often "Source" or "Logical fallacy" or some similar nonsense. Google does not put huge billboards on buildings or put up slides during their keynote presentations stating that PRIVACY is so important to them and they really focus on it. But your beloved Apple does so my question is a very sound question to which you have no concrete response. I never said that Google values security highly but Apple certainly states publicly that it does. Therefore, you should be able to answer my question quite easily but obviously Apple and its actions does not provide you with credible information to do so.
No problem. But it would be easier and more honest if you just said that you cannot answer the question rather than stating "Logical fallacy. I could ask you..."
Apple has employees looking for bugs in their own OSes. Google has employees looking for bugs in all OSes, and whenever a non-android bug shows up they tell the world about it to make it seem that Android is more secure.