An in-depth look at five iOS exploit chains that were used in hacked websites for carrying out watering hole attacks against devices running iOS 10 through 12
In the earlier posts we examined … Ryan Whitwam / ExtremeTech : Google Discovered Malicious Websites Used to Hack iPhones for Years Jon Porter / The Verge : Google reveals major iPhone security flaws that let websites hack phones Don Reisinger / Fortune : Apple's Planned iPhone Unveiling Overshadows Other Big News VICE : This Has Been the Worst Year for iPhone Security Yet Ian Beer / Project Zero : In-the-wild iOS Exploit Chain 1 Rude Baguette : Google security team reveals years-long spyware attack on iPhone users Morning Brew : The trade war hits close to home, Apple feels vulnerable, and a fight over national park transportation Zack Whittaker / TechCrunch : Malicious websites were used to secretly hack into iPhones for years, says Google Thomas Brewster / Forbes : WhatsApp Security Destroyed By Just Visiting A Website—Why The Latest iPhone Hack Is Terrifying Associated Press : Websites infected iPhones with spyware Todd Haselton / CNBC : Google discovers major iPhone security flaw that affected thousands Dell Cameron / Gizmodo : Google Hackers Reveal Websites Hacked Thousands of iPhone Users Silently for Years Paul Wagenseil / Tom's Guide : Mass iPhone Hack Is Huge Wake-Up Call for Apple Allison Ingersoll / Bloomberg : Google's Elite Hacking Team Reveals Untimely Bug in iPhone Conor Cawley / Tech.co : Google Researchers Find Massive Security Flaw in iPhones Richi Jennings / Security Boulevard : Apple is Bad at Software, says Google James Rogers / Fox News : iPhone hack attack: Google says hackers placed ‘monitoring implants’ in iPhones Shaun Nichols / The Register : Google security crew sheds light long-running iOS spyware operation Sergiu Gatlan / BleepingComputer : Google Warns iPhone Users of Data-Stealing Malware Attacks Chris Nuttall / Financial Times : Google highlights iPhone security flaw Christopher Baugh / iPhone in Canada Blog : Google Security Researchers Uncover ‘Sustained’ Hack on Apple iOS Devices Sudais / HackRead : Google hackers found malicious websites hacking iPhones Thomas Reed / Malwarebytes Labs : Unprecedented new iPhone malware discovered CBS San Francisco : State-Sponsored Hackers Infected iPhones With Spyware; ‘Most Serious’ Breach Of Its Kind Janko Roettgers / Variety : Massive iPhone Hack Compromised Thousands of Phones Maria Deutscher / SiliconANGLE : Google: Malicious sites hacked iPhones for years through unknown exploits Rob Thubron / TechSpot : Google says hacked websites were attacking iPhones for years Bevin Fletcher / FierceWireless : Hackers indiscriminately installed ‘monitoring implants’ in iPhones, Google says Kelly Sheridan / Dark Reading : Google Uncovers Massive iPhone Attack Campaign Jack Purcher / Patently Apple : Google's Project Zero Team Finds an iOS Exploit Allowing Hackers to tap into conversations through iMessage & more Brenden Gallagher / The Daily Dot : Thousands of iPhones attacked just by visiting hacked websites Tara Seals / Threatpost : iPhone Zero-Days Anchored Watering-Hole Attacks Joe Rice-Jones / KnowTechie : Google says a bunch of malicious websites have been secretly hacking iPhones for years Firstpost Tech : Malicious websites have been quietly hacking iPhones for the past couple of years Josephine Wolff / Slate : What You Need to Know About the iPhone Malware News Joe Uchill / Axios : Report: Websites hacked iPhones for years Ionut Arghire / SecurityWeek : iOS Vulnerabilities Allowed Attackers to Remotely Hack iPhones for Years John E Dunn / Naked Security : Sophisticated iPhone hacking went unnoticed for over two years Chris Davies / SlashGear : iPhone exploit active “at least two years” detailed by Google Charlotte Henry / The Mac Observer : Latest iOS Hack is a Game Changer Anton D. Nagy / Pocketnow : Google says iPhones were vulnerable to hacks from websites for years Jay Bonggolto / Neowin : Google discovered ‘sustained attacks’ over at least two years against iPhone users Babu Mohan / Android Central : Google uncovers multiple malicious sites that hacked iPhones for years Maggie Miller / The Hill : Google uncovers evidence of large iPhone hacking attempt Chris Merriman / Inquirer : Google's Project Zero team uncovers ‘sustained’ hack on Apple iOS devices Dave Mark / The Loop : Google lays out iOS malware exploits found in the wild, but already patched by Apple back in February Mitchel Broussard / MacRumors : Google Outlines iPhone Vulnerabilities That Let Malicious Websites Steal User Data for Years, Now Fixed Jonny Evans / Apple Must : How to protect yourself against the latest big iPhone security scare (Updated) Sami Khan / International Business Times : Hackers used malicious websites to hack iPhones: Passwords, photos, chats, live location exposed Jeff Stone / CyberScoop : Google's Project Zero details ‘indiscriminate’ hacking campaign against thousands of iPhones Abdullah / Gizchina : Google has discovered malicious websites targeting iPhone users David Pierini / Cult of Mac : Google says iPhone security holes went unnoticed for 2 years Rishi Iyengar / CNN : Google finds evidence of attempted mass iPhone hack Stephen E. Arnold / Beyond Search : MAGA: Making Android Great Again? PYMNTS.com : Hacking Attack Could Have Compromised Hundreds Of Thousands Of iPhones Michael Grothaus / Fast Company : Google discovered websites that could hack your iPhone just by visiting them Scott Bicheno / Telecoms.com : Google exposes massive iPhone hacking operation Mikey Campbell / AppleInsider : iPhone exploits in hacked websites went unnoticed for years MacDailyNews : These malicious website exploits targeted iPhone users for years Isobel Asher Hamilton / Business Insider : Google researchers found a bunch of malicious sites that quietly hacked iPhones for years Dan Grabham / Pocket-lint : Google researchers found an iOS security hole was left open for years Alfred Ng / CNET : Google says iPhone security flaws let websites hack away for years Mark Jansen / Digital Trends : Google says older iPhones have a security flaw. Here's how to protect yourself Mark Wyciślik-Wilson / BetaNews : Google security researcher warns that hackers are using malicious websites to exploit iOS flaws and monitor iPhone users Mariella Moon / Engadget : Google uncovers exploit-laden websites that stole data from iPhones Catalin Cimpanu / ZDNet : Google finds malicious sites pushing iOS exploits for years Silviu Stahie / Softpedia News : Google Finds Massive iPhone Vulnerability that Was Exploited for Years Ed Targett / Computer Business Review : Thousands of Fully Patched iPhones Exploited for Years, says Google - Who Is the Sophisticated Mystery Attacker? Swati Khandelwal / The Hacker News : Google Uncovers How Just Visiting Some Sites Were Secretly Hacking iPhones For Years Brandy Betz / Seeking Alpha : Google researchers found mass iPhone hack attempt Ravie Lakshmanan / The Next Web : Google researchers reveal data-stealing, web-based iPhone exploit that was active for years Catalin Cimpanu / ZDNet : Google warns about two iOS zero-days ‘exploited in the wild’ Rajesh Pandey / iPhone Hacks : Google's Project Zero Team Details Malicious Websites That Hacked iPhones for Years Caitlin Welsh / Mashable : Hacked sites attacked thousands of iPhones every week for years using undiscovered exploits Mike Peterson / iDrop News : Here's Why You Should Update to iOS 12.1.4 Right Now (It's Not the Spy Bug) Chance Miller / 9to5Mac : Google researcher says iOS 12.1.4 fixes two zero-day vulnerabilities that ‘were exploited in the wild’ Tweets: Malte Ubl / @cramforce : If Apple allowed browser engine diversity on iOS, then fewer than 100% of iOS users would have been vulnerable over this 2 year period https://www.washingtonpost.com/ ... Alex Stamos / @alexstamos : Many things to learn from this incident, but one is the safety cost of anti-competitive iOS App Store policies. Chrome/Brave/Firefox are required to use the default WebKit/JS. If Apple isn't going to put in the work necessary to protect users then they should let others do so. https://twitter.com/... https://twitter.com/... Eric Geller / @ericgeller : You were very likely not hacked by this. The infected websites received very little traffic, Google said. The news is mostly significant because of how rare iOS zero-days are and because this campaign was indiscriminate, not targeted, raising questions about who did it and why. Alex Stamos / @alexstamos : It's darkly ironic that Apple is the company that is demonstrating the end point of late-90's fears about Microsoft. ✅Rent seeking via platform control. ✅Content moderation on behalf of autocracies ✅Risk of software monoculture[1] [1] http://blough.ece.gatech.edu/ ... Jake Williams / @malwarejake : This, plus a hardcoded HTTP IP address is amateur hour. Contrast that with multiple exploit chains and sandbox escapes and it sure sounds like a group with tons of money to buy exploits and little operational experience. So many thoughts right now... https://googleprojectzero.blogspot.com/ ... https://twitter.com/... Rat King / @mikeisaac : can someone tell me the rationale of google disclosing all this info but not identifying the sites? is it in fear of drawing people to them? https://www.wired.com/... Martijn Grooten / @martijn_grooten : There's a lot to say about the iPhone watering hole attacks, but if you work with vulnerable groups in China this, and the fact that P0 talked about “entire populations”, means should you take extra notice of what happened https://googleprojectzero.blogspot.com/ ... https://googleprojectzero.blogspot.com/ ... https://twitter.com/... Stephen Shankland / @stshank : A dig from a Googler about Apple's ostensibly security-minded (in part) reason for allowing only its own browser engine on iOS & iPadOS. (Chrome, Firefox, etc. are available on iOS, but unlike on MacOS, Windows, Android, are required to use Apple's WebKit browser engine.) https://twitter.com/... Rich Mogull / @rmogull : I'm trying to decide if learning of indiscriminate iOS zero day attacks in the wild is just incredibly concerning, or the biggest iOS security news since the launch of the platform: https://googleprojectzero.blogspot.com/ ... Alex Stamos / @alexstamos : Remember how everybody lost their mind over Microsoft Palladium? At the time, “huge corporation will use hardware-rooted DRM to censor content choices by end users” seemed the worst-case scenario. That is literally the impact of Apple's DRM in China. https://epic.org/... https://twitter.com/... Rene Ritchie / @reneritchie : Terrific drill-down on a web-based iOS exploit chain. But, I can't find any info on what kind of sites were being used? If they were a tiny cluster in a remote region vs. major multinational, it's a very different threat level. https://googleprojectzero.blogspot.com/ ... Alex Hern / @alexhern : As this has filtered from the security community to the mainstream, something's been lost in translation, so I want to be explicit: this is not an aggressive move by Google, and it's not part of the wider conflict between the two companies. https://www.theguardian.com/ ... Eric Geller / @ericgeller : HUGE mobile security news: Google found malicious websites indiscriminately hacking iPhones using at least 5 separate exploit chains w/ *14* individual 0days. https://googleprojectzero.blogspot.com/ ... This is like finding a live colossal squid at the beach. Just *one* iOS 0day goes for >$1m. https://twitter.com/... Arrigo Triulzi / @cynicalsecurity : All I am going to say about the iOS exploit chains write up by Project Zero is: “Bloody Hell!”. In the most profound British understatement tone I can muster. https://googleprojectzero.blogspot.com/ ... Savic Ali / @savicali : Privacy is an illusion in digital world. https://twitter.com/... Lukasz Olejnik / @lukolejnik : The implant was used to steal location data and files like databases of WhatsApp, Telegram, iMessage. So all the user messages, or emails. Copies of contacts, photos, https://googleprojectzero.blogspot.com/ ... https://twitter.com/... Costin Raiu / @craiu : So, people with access to big chunks of network traffic should probably scout for HTTP POSTs to “/list/suc?name=”. https://googleprojectzero.blogspot.com/ ... Alex Stamos / @alexstamos : This is a huge find by Google's team. Attribution for these sites is going to be critical to understanding what impact they might have had. https://twitter.com/... @malwaretechblog : This is wild. A group were using hacked websites to indiscriminately exploit iPhones using zero days exploits, and somehow went unnoticed for years. https://googleprojectzero.blogspot.com/ ... Jason Koebler / @jason_koebler : this is crazy crazy crazy crazy crazy. Upends everything I thought I knew about iPhone security. https://www.vice.com/... Daniel Sinclair / @_danielsinclair : Wow. This Project Zero discovery is insane. Some unnamed entity (obviously a government) had 7 Safari 0-days that have been quietly compromising iPhones for years — all the way back to iOS 10. Anyone who visited these unnamed sites were sunk. https://googleprojectzero.blogspot.com/ ... @da_667 : the iOS 0-day/implant that google TAG found just really goes to show you why there is such a big market for iOS 0-days. With the right exposure, its intelligence goldmine that reaps massive dividends. Patrick Howell O'Neill / @howelloneill : Google's Threat Analysis Group found hacked sites being used in watering hole attacks using five distinct iPhone 0-day exploit chains. The websites had thousands of visitors per week. Project Zero's analysis starts here: https://googleprojectzero.blogspot.com/ ...