Security researchers at Google revealed today how iPhones are vulnerable against a critical exploit. The researchers also revealed the number of websites that have been hacking iPhone since past two years using indiscriminate watering hole attacks.
How Can A Website Hack iPhone?
In a lengthy blog post, Google Project Zero’s Ian Beer says that the attack wasn’t discriminative to any specific device, in fact, the website had malicious code in it. So when an iPhone user visits that particular website, the website automatically implants malicious software into target’s iPhone. This malicious software can collect sensitive data like images & contacts.
Searchers also said that the website attracted pretty much thousands of visitors per week. Anywhere an iPhone version between iOS 10 to iOS 12 is vulnerable to this attack.
How Do This Attack Works?
Researchers at Google identified 14 different security flaws across five exploit chains that were used to exploit the famous inbuilt browser of iPhone, Safari. This includes five affected kernels and two separate sandbox escapes.
Once the hacker launches the implant on the victim’s iPhone, he/she can gather and transfer information like images, data, GPS location and contacts to an external server which transmits the data every 60 seconds ie 1 minute. This also puts the user’s device at risk since this also includes passwords in “data” as we say. Or who knows what more can be affected? Because there are people who forget their bank passwords so to avoid it, they mostly store it in their notepad apps on their iPhones, which too can be exposed to the hackers.
How Is Apple Responding To Google’s Disclosure?
The post says that the vulnerability was disclosed on 1st February 2019 and the company gave 7-day deadline to Cupertino(Apple Headquarters). The giant release was fixed on 7th February 2019 in the form of new iOS version 12.1.4.
So if you haven’t updated your iOS device yet, update it right now to protect yourself against the vulnerability.