Security researchers working in Google’s Project Zero team have said they have discovered several hacked websites which earlier used undisclosed security flaws to launch indiscriminate attacks on any iPhone that visited them. This attack, they say, could be the largest ever conducted against iPhone users. Accordingly, if someone visited any one of these malicious websites using a vulnerable device, then their personal files, messages and real time location data could be compromised.
Although the vulnerabilities were patched earlier this year, researchers have said that the attack may have allowed the sites to install an implant with access to an iPhone’s keychain. This would have given the attackers access to any credentials or certificates contained within it, and could also allow them to access the databases of seemingly secure messaging apps like WhatsApp and iMessage. Despite these apps using end-to-end encryption for the transfer of messages, if an end device was compromised by this attack, then an attacker could access previously encrypted messages in plain text, researchers said.
According to experts, this attack is significant because of how indiscriminate it is. While other attacks were more targeted, this one could affect devices because of simply visiting a malicious site and install an implant. Researchers also estimate that the compromised sites were visited by thousands of visitors each week.
The implant installed by the malicious sites would be deleted if a user rebooted their phone. However, the researchers say that since the attack compromises a device’s keychain, then the attackers could gain access to any authentication tokens it contains, and these could be used to maintain access to accounts and services long after the implant has disappeared from a compromised device.
In total, the researchers say they discovered 14 vulnerabilities across five different exploit chains, including one which was unpatched at the time the researchers discovered it. iOS versions 10 through 12 were all affected by the vulnerabilities, which the researchers say indicates that the attackers were attempting to hack users over at least two years.
The team says they contacted Apple to report the vulnerability back in February, and gave the company just seven days to patch it. Although the vulnerabilities have now been patched, the researchers note that there are likely to be more out there that they’re yet to discover.