Google's Project Zero security researchers have revealed that they found several hacked websites that slipped
for years. If people visited one of the sites, their messages, photos and location data could have been compromised. The team reported its findings to
earlier this year, and the vulnerability was patched in the same update that fixed the FaceTime eavesdropping bug.
"There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant," Project Zero's Ian Beer wrote in a Thursday blog post detailing the team's discovery. "We estimate that these sites receive thousands of visitors per week."
The attacks are a rare display of vulnerabilities for iPhones, which are generally considered highly secure devices. Apple has offered up to $1 million in bug bounties for security researchers who can find critical vulnerabilities on its devices. Often, attacks on iPhones are difficult to carry out, and usually limited to espionage between countries. It's unclear who's behind this attack that could compromise millions of devices just by a single visit.
"It's always been possible, but the cost of these vulnerabilities on the open market means they've never been used in an attack like this before," Thomas Reed, director of Mac and mobile security at Malwarebytes, said in an email. "In the past,
malware has been primarily used in targeted attacks by nation-states. By targeting specific people, they limit the exposure of the vulnerabilities used, protecting them against discovery by Apple."
Watch this: Apple fixes FaceTime flaw, Google pulls Fiber service from Louisville
The hack didn't work off of any single vulnerability. Google's team found that it used 14 zero-day vulnerabilities across five separate exploit chains. The vulnerabilities ran from iOS 10 to the current version, iOS 12, meaning the hackers targeted iPhone users over at least two years. When Google disclosed the vulnerability to Apple in February, the company issued a patch less than a week later.
This hack gave attackers full control of a victim's iPhone, allowing them to install malicious apps, get real-time location data and steal photos and messages, even if they're encrypted. Because of the malware's deep level of access, it could even get contents of messages before they were encrypted, Google's researchers said. The implant could access the device's keychain, which includes passwords and database files used by end-to-end encrypted messaging apps like WhatsApp, Telegram and iMessage.
As the attacks siphoned off people's personal information, they were sending that data without encryption, which meant that anyone on the same Wi-Fi network could also see all of the stolen content.
The malware was wiped if people rebooted their iPhones, but would return if they visited one of the hacked sites again, the report noted. Also, even if the malware was wiped, hackers could cause more damage with stolen passwords and private messages it obtained. There's also no way to tell if you've been affected, Reed said. iOS doesn't allow for malware scans, and it's possible that contributed to the hack being hidden for so long, the security researcher said.
"The very nature of iOS, intended to keep devices secure, may have worked against us in this case by preventing the attack from being discovered," Reed said.
Apple declined comment, but make sure your iPhone is fully updated to prevent this vulnerability from hitting you.
First published Aug. 30 at 2:52 a.m. PT. Update, 3:38 a.m. PT: Notes that Apple declined comment and adds details. Update, 5:09 a.m. PT: Adds more details and context on the hack. Update, 8:48 a.m. PT: Adds quotes from security researcher.