Google Found iPhone Security Flaws That Let Websites Hack Your Data For Years

According to security researchers under Google’s Project Zero, they discovered several hacked sites which slipped malware to people’s iPhones for years. If users go to one of those websites, their photos, location data, and messages, could have been stolen. The findings were reported to Apple earlier this year, and the company patched the vulnerability in the same update with the eavesdropping bug in FaceTime.

Ian Beer, a researcher from Project Zero wrote in a blog post on Thursday that detailed the team’s discovery:

Those attacks indicate the vulnerabilities that are hardly seen in iPhones, which are known for great security. Apple has offered security researchers up to $1 million if they discover critical vulnerabilities on its devices. It’s often difficult to attack iPhones and attacks are usually hacking information between countries. There’s no telling who’s behind the attack which could compromise millions of devices with just one visit.

Malwarebytes director of Mac and mobile security Thomas Reed, said:

The hack did not work off of just one vulnerability. It was found by Google’s team that it took advantage of 14 zero-day vulnerability in five separate exploit chains. Those vulnerabilities ran on iOS versions from 10 to 12, which means iPhone users have been targeted for at least two years. In February, Google reached out to Apple and disclosed the vulnerability, it took the iPhone maker less than a week to patch the issue.

With this hack, attackers gain full control of their victims’iPhones, which let them obtain real-time location data, install malicious apps, steal photos as well as messages despite encryption.  As the malware has deep access, it’s able to get message contents before they got encrypted, according to Google’s researchers. The implant could gain access to the keychain of the device, including database files and passwords by messaging apps with end-to-end encryption such as iMessage, Telegram, and WhatsApp.

Since the attacks stole users' personal information, they sent data without encryption, meaning people using the same Wi-Fi network could view the stolen content too.

And if users rebooted their Apple phones, the malware was removed, but it would return once users revisited a hacked website, as noted in the report. In addition, even after the malware had gone, hackers could further damage to the device using stolen private messages and passwords it obtained. Reed added that users cannot tell if their devices have been affected either.

iOS does not include scanning malware, which might have contributed to the hack, the researcher pointed out. He said that iOS’ nature is keeping devices secure, but this may have turned into a tool against users in this hack as it prevents the attack from being found.

Apple refused to comment but you should ensure your iPhone has got the latest update to keep this vulnerability away from you.