Security researchers working in Google’s Project Zero team say they have discovered a number of hacked websites which used previously undisclosed security flaws to indiscriminately attack any iPhone that visited them. Motherboard reports that the attack could be one of the largest ever conducted against iPhone users. If a user visited one of the malicious websites using a vulnerable device, then their personal files, messages, and real-time location data could be compromised. After reporting their findings to Apple, the iPhone manufacturer patched the vulnerabilities earlier this year.
Motherboard notes that the attack could have allowed the sites to install an implant with access to an iPhone’s keychain. This would have given the attackers access to any credentials or certificates contained within it, and could also allow them to access the databases of seemingly secure messaging apps like WhatsApp and iMessage. Despite these apps using end-to-end encryption for the transfer of messages, if an end device was compromised by this attack, then an attacker could access previously encrypted messages in plain text.
The attack is notable because of how indiscriminate it is. Motherboard notes that other attacks are typically more targeted, with individual links being sent to targets. In this case, simply visiting a malicious site could be enough to be attacked, and for an implant to be installed on a device. The researchers estimate that the compromised sites were visited by thousands of visitors each week.
The implant installed by the malicious sites would be deleted if a user rebooted their phone. However, the researchers say that since the attack compromises a device’s keychain, then the attackers could gain access to any authentication tokens it contains, and these could be used to maintain access to accounts and services long after the implant has disappeared from a compromised device.
In total, the researchers say they discovered 14 vulnerabilities across five different exploit chains, including one which was unpatched at the time the researchers discovered it. iOS versions 10 through 12 were all affected by the vulnerabilities, which the researchers say indicates that the attackers were attempting to hack users over at least two years.
