Discussion

• @dcuthbert Daniel Cuthbert on x

  I'm going to be the odd one here and say this isn't right. So far China has had complete control of the Uyghurs using physical means and coercion. Their entire lives are controlled so why go this route when you will get burned (china doesn't like people knowing internal stuff)

• @riskybusiness Patrick Gray on x

  Ok, so back to infosec now: @zackwhittaker published a s story claiming those ZOMG iOS 0day chains were being used by the Chinese government to target Uyghur muslims. There are doubters, but his story lines up with what I've heard as well. Just sayin'.. https://techcrunch.com/...

• @msuiche Matt Suiche on x

  Uyghur muslims, the poortest ethnic group in China, running around with shinny new iPhones? Plus they are already under heavy surveillance. The Chinese already make them install spyware by force. See 2017 story: https://mashable.com/... https://twitter.com/...

• @rerutled Robert Rutledge on x

  I cannot find anywhere in this article *any* sourcing for the assertion the hack was by China, or to target Uyghur Muslims. * Did someone on Project Zero *say* that? Not in the article. * Was there some content in the notice which *says* that? Where did you get this from?

• @zackwhittaker Zack Whittaker on x

  New: @iblametom has confirmed that Android and Windows users were *also* targeted in the same watering hole attacks affecting iPhone users. https://www.forbes.com/...

• @neilcybart Neil Cybart on x

  This TechCrunch article on new developments related to the iPhone hacks via malicious websites is a well-written piece. Genuine reporting. No sensational boilerplate language about Apple. No hidden agenda. https://techcrunch.com/...

• @peterpham Peter Pham on x

  But I thought iPhones were perfect? New iPhone Hack Shock As China Blamed For Devastating Attack: Report via @forbes http://www.forbes.com/...

• @rootsecdev @rootsecdev on x

  So China targeting specific religious groups with powerful multiple zero day exploits. Does anyone else smell bullshit? Google PLA Unit 61398 https://techcrunch.com/...

• @hynek Hynek Schlawack on x

  This is what you're enabling when you're using memory unsafe languages because you think you're ~very smart~. People end up in camps or even die. Look at the chains and get over your pride. https://twitter.com/...

• @blowdart Barry Dorrans on x

  I wonder if telemetry doesn't make it out of China. Remember all the cloud hosting there is ran by a Chinese company under license.

• @thegrugq Thaddeus E. Grugq on x

  shocked. shocked. who ever could have guessed? 😑🙄 https://twitter.com/...

• @ggreeneva Greg Greene on x

  This scoop — that the massive hack exploiting multiple zero-day iOS vulnerabilities was likely a state-sponsored Chinese surveillance program — is utterly believable. https://twitter.com/...

• @malwaretechblog @malwaretechblog on x

  Update: rumor is it was China targeting Uighur Muslims. An authoritarian government targeting dissidents was the most likely explanation, though my first guess would have been a gulf state. https://techcrunch.com/...

• @zackwhittaker Zack Whittaker on x

  Exclusive: Malicious websites used to quietly hack into iPhones over the past two years was an effort by China to target Uyghur Muslims. https://techcrunch.com/...

• @stevebellovin Steven Bellovin on x

  Per https://arstechnica.com/..., the attackers were interested in activity on Tencent. To me, that strongly suggests Chinese internal security agencies are behind the malware. Also, the sites had “thousands of visitors per week”. These days, that's not very many. 1/2

• @mikeisaac Rat King on x

  can someone tell me the rationale of google disclosing all this info but not identifying the sites? is it in fear of drawing people to them? https://www.wired.com/...

• @ericgeller Eric Geller on x

  HUGE mobile security news: Google found malicious websites indiscriminately hacking iPhones using at least 5 separate exploit chains w/ *14* individual 0days. https://googleprojectzero.blogspot.com/ ... This is like finding a live colossal squid at the beach. Just *one* iOS 0day …

• @zittrain Jonathan Zittrain on x

  Apple iOS has been considered the most secure smartphone OS. Disconcerting that flaws could be strung together not only to own the phone, but to do it in bulk for all users visiting a compromised/ing web site. https://twitter.com/... https://twitter.com/...

• @kennethgeers Kenneth Geers on x

  Strategic iOS Attack —> “rare and intricate chains of code exploited a total of 14 security flaws” https://www.wired.com/...

• @jeremiahg Jeremiah Grossman on x

  Google blog post didn't say how they found the infected website(s) using the iOS zero-days. But I'm sitting here thinking, again, that after $127B in annual InfoSec spending, it was an advertising platform that found it... and not a security vendor. Threat intel or otherwise.

• @reneritchie Rene Ritchie on x

  And now @forbes reports: “Google's and Microsoft's operating systems were targeted via the same websites that launched the iPhone hacks, according to the sources, who spoke on the condition of anonymity.” Project Zero lacked so much context it became a social attack itself. https…

• @reneritchie Rene Ritchie on x

  Timeline: - Google's Project Zero blogs legit iOS exploit but with no context. - Story gets re-blogged, people get panicked. - TechCrunch finds out it was targeted at the Uyghur community in Xinjiang, China. - Forbes finds out it targeted Android and Windows too. WTF PZ? https://…

• @waisingrin Wai Sing-Rin on x

  If CCP is using redirected “watering holes” to upload malware into Uighur phones for iOS, Android & Windows, it is likely that CCP will redirect HK'ers to HK-centric watering holes. Forbes https://www.forbes.com/... TechCrunch https://www.forbes.com/...

• @ggreeneva Greg Greene on x

  So the iOS hacking campaign revealed last week affected Android and Windows devices as well — but somehow, the coverage induced by Google's announcement only touched on the iOS bit. Odd. (h/t @jkohlmann, @zackwhittaker) https://www.forbes.com/...

• @perito_inf @perito_inf on x

  Implant Teardown The implant has access to all the database files (on the victim's phone) used by popular end-to-end encryption apps like Whatsapp, Telegram and iMessage. https://googleprojectzero.blogspot.com/ ...

• @ericgeller Eric Geller on x

  You were very likely not hacked by this. The infected websites received very little traffic, Google said. The news is mostly significant because of how rare iOS zero-days are and because this campaign was indiscriminate, not targeted, raising questions about who did it and why.

• @alexstamos Alex Stamos on x

  Many things to learn from this incident, but one is the safety cost of anti-competitive iOS App Store policies. Chrome/Brave/Firefox are required to use the default WebKit/JS. If Apple isn't going to put in the work necessary to protect users then they should let others do so. ht…

• @stshank Stephen Shankland on x

  A dig from a Googler about Apple's ostensibly security-minded (in part) reason for allowing only its own browser engine on iOS & iPadOS. (Chrome, Firefox, etc. are available on iOS, but unlike on MacOS, Windows, Android, are required to use Apple's WebKit browser engine.) https:/…

• @rmogull Rich Mogull on x

  I'm trying to decide if learning of indiscriminate iOS zero day attacks in the wild is just incredibly concerning, or the biggest iOS security news since the launch of the platform: https://googleprojectzero.blogspot.com/ ...

• @reneritchie Rene Ritchie on x

  Terrific drill-down on a web-based iOS exploit chain. But, I can't find any info on what kind of sites were being used? If they were a tiny cluster in a remote region vs. major multinational, it's a very different threat level. https://googleprojectzero.blogspot.com/ ...

• @lukolejnik Lukasz Olejnik on x

  The implant was used to steal location data and files like databases of WhatsApp, Telegram, iMessage. So all the user messages, or emails. Copies of contacts, photos, https://googleprojectzero.blogspot.com/ ... https://twitter.com/...

• @martijn_grooten Martijn Grooten on x

  There's a lot to say about the iPhone watering hole attacks, but if you work with vulnerable groups in China this, and the fact that P0 talked about “entire populations”, means should you take extra notice of what happened https://googleprojectzero.blogspot.com/ ... https://googl…

• @cynicalsecurity Arrigo Triulzi on x

  All I am going to say about the iOS exploit chains write up by Project Zero is: “Bloody Hell!”. In the most profound British understatement tone I can muster. https://googleprojectzero.blogspot.com/ ...

• @_danielsinclair Daniel Sinclair on x

  Wow. This Project Zero discovery is insane. Some unnamed entity (obviously a government) had 7 Safari 0-days that have been quietly compromising iPhones for years — all the way back to iOS 10. Anyone who visited these unnamed sites were sunk. https://googleprojectzero.blogspot.co…

• @jason_koebler Jason Koebler on x

  this is crazy crazy crazy crazy crazy. Upends everything I thought I knew about iPhone security. https://www.vice.com/...

• @malwaretechblog @malwaretechblog on x

  This is wild. A group were using hacked websites to indiscriminately exploit iPhones using zero days exploits, and somehow went unnoticed for years. https://googleprojectzero.blogspot.com/ ...

• @motherboard @motherboard on x

  Thousands of iPhones per week have been indiscriminately hacked for YEARS and no one knew: https://www.vice.com/...

• @howelloneill Patrick Howell O'Neill on x

  Google's Threat Analysis Group found hacked sites being used in watering hole attacks using five distinct iPhone 0-day exploit chains. The websites had thousands of visitors per week. Project Zero's analysis starts here: https://googleprojectzero.blogspot.com/ ...