If you’re unfamiliar with Google’s Project Zero team, it is tasked with helping companies find security vulnerabilities, and recently it turned its gaze to iOS devices and hacked websites. We mention Project Zero as it recently posted a blog detailing some of its most recent finding as it pertains to iPhones.
More specifically the team discovered a number of hacked websites which conducted malicious attacks on iPhones that visited them. This latest discovery could be the largest attack of its kind conducted against iPhone users, according to Motherboard.
The site adds that these hacked sites were able to compromise sensitive data on vulnerable iPhones, including personal files, messages and perhaps most worryingly real-time locations.
It should also be mentioned that Google says it contacted Apple about the issue in February earlier this year, with a patch to address having been rolled out within seven days. This is far shorter than the usual 90-day window that Apple takes to address such issues.
The firm also did not go into detail about the hacked sites, which has prompted Motherboard to ask employees of the companies running the websites to come forward anonymously to provide more information. At the time of writing no one has come forth.
“Earlier this year Google’s Threat Analysis Group (TAG) discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day,” explains Project Zero’s Ian Beer.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week,” he continues.
The Project Zero team adds that it has discovered 14 vulnerabilities across five specific iOS exploits.
“Working with TAG, we discovered exploits for a total of fourteen vulnerabilities across the five exploit chains: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes,” notes Beer.
While it is indeed good to see Google taking a closer look at security for sites and the like, the fact that iPhone users are only finding out about this issue now, as well as not receiving any kind of advise on how to better spot a compromised site, does give some cause for concern.
As such we advise iPhone and Android users to take a cautious approach when visiting unsecure or new sites, keeping an eye for anything suspicious.