Writing on the Project Zero blog, security researcher Ian Beer describes how Google's Threat Analysis Group (TAG) discovered a small collection of hacked websites earlier this year that were being used to target iPhone users. According to the Project Zero team, merely visiting these hacked websites was enough for the exploit servers to attack the visitor's iPhone.
"The implant has access to nearly all of the personal information available on the device, which it is able to upload, unencrypted, to the attacker's server", said Project Zero's Ian Beer, a white hat hacker and cybersecurity researcher.
As part of a 30-month-long operation, researchers were able to take advantage of an exploit in Apple's default web browser, Safari, to load malware onto devices. The vulnerabilities affect iOS 10 through to the latest iOS 12 version.
While the choice of sites appeared created to target certain communities, the attack was otherwise indiscriminate.
The slight bit of good news is that anyone who visited a malicious website that deployed the implant can prevent it from running by rebooting their device (and further prevent it by upgrading their version of iOS to the latest available).
Southampton vs. Manchester United Live Stream
Danish defender Vestergaard broke his duck for the club with a towering 58th-minute header to cancel out Daniel James' opener. And Scholes believes his old side require a lot of work before they're in a position to challenge for silverware.
Apple fixed the flaws in February with the release of iOS12.1.4 after Google notified it of the vulnerabilities. "We estimate that these sites receive thousands of visitors per week", he wrote in the blog.
The issue was discovered by Google security researchers, who claim the infiltration has been going on for at least two years.
Motherboard characterized the hacks, which left a mountain of victims' personal data and information compromised, as possibly "one of the largest attacks against iPhone users ever".
Hackers exploited flaws in iPhone software to stealthily take over a victim's device and access a user's contact info, media files and Global Positioning System location, together with data from Instagram, WhatsApp, Telegram and Gmail. In addition, the implant also had access to users' device's keychain data containing credentials, authentication tokens, and certificates used on and by the device. If the phone is successfully compromised, it will install a monitoring implant discreetly into the victim's iPhone. Furthermore, attackers can use already stolen information to access various accounts and services even if the implant is wiped.
Apple declined comment, but make sure your iPhone is fully updated to make sure this vulnerability can't impact you. - Fair play to Apple, it released the patch within 6 days of being informed of the issues.