Security researchers working in Google’s Project Zero team say they have discovered a number of hacked websites which used previously undisclosed security flaws to indiscriminately attack any iPhone that visited them. Motherboard reports that the attack could be one of the largest ever conducted against iPhone users. If a user visited one of the malicious websites using a vulnerable device, then their personal files, messages, and real time location data could be compromised. After reporting their findings to Apple, the iPhone manufacturer patched the vulnerabilities earlier this year.
Motherboard notes that the attack could have allowed the sites to install an implant with access to an iPhone’s keychain. This would have given the attackers access to any credentials or certificates contained within it, and could also allow them to access the databases of seemingly secure messaging apps like WhatsApp and iMessage. Despite these apps using end-to-end encryption for the transfer of messages, if an end device was compromised by this attack, then an attacker could access previously encrypted messages in plain text.
The attack is notable because of how indiscriminate it is. Motherboard notes that other attacks are typically more targeted, with individual links being sent to targets. In this case, simply visiting a malicious site could be enough to be attacked, and for an implant to be installed on a device. The researchers estimate that the compromised sites were visited by thousands of visitors each week.
The implant installed by the malicious sites would be deleted if a user rebooted their phone. However, the researchers say that since the attack compromises a device’s keychain, then the attackers could gain access to any authentication tokens it contains, and these could be used to maintain access to accounts and services long after the implant has disappeared from a compromised device.
In total, the researchers say they discovered 14 vulnerabilities across five different exploit chains, including one which was unpatched at the time the researchers discovered it. iOS versions 10 through 12 were all affected by the vulnerabilities, which the researchers say indicates that the attackers were attempting to hack users over at least two years.
The team says they contacted Apple to report the vulnerability back in February, and gave the company just seven days to patch it. TechCrunch notes that this is a far shorter deadline than the typical 90-day window usually given by researchers, and likely reflects how serious the vulnerabilities are. Apple patched the vulnerabilities with iOS 12.1.4, the same update that fixed a major FaceTime security flaw.
Although the vulnerabilities have now been patched, the researchers note that there are likely to be more out there that they’re yet to discover. “For this one campaign that we’ve seen, there are almost certainly others that are yet to be seen,” they write. You can find full details of the exploits in the researcher’s blog post.