iPhones hacked by malicious websites2019-08-30 18:22 by Daniela
Google's Project Zero security researchers say that hackers were targeting iPhones for the last two years and placing "monitoring implants" on Apple's smartphones. They were able to break into thousands of iPhones by combining a number of iOS vulnerabilities.
The hack was carried out via dedicated websites; simply visiting those sites with an iPhone or iPad could result in hackers installing malware on those devices, which they could then use to steal contacts, passwords and other sensitive information.
The implant installed by the malicious sites would be deleted if a user rebooted their phone. However, the researchers say that since the attack compromises a device's keychain, then the attackers could gain access to any authentication tokens it contains, and these could be used to maintain access to accounts and services long after the implant has disappeared from a compromised device.
"The implant has access to almost all of the personal information available on the device, which it is able to upload, unencrypted, to the attacker's server," Project Zero's Threat Analysis Group said, according to CNBC. "The implant binary does not persist on the device; if the phone is rebooted then the implant will not run until the device is re-exploited when the user visits a compromised site again. Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device."
The flaw in the software that made the iPhones vulnerable were fixed in February, but it could have potentially exposed the data of "thousands" every week. Project Zero only revealed the details of how hackers could have exploited this security glitch months after first alerting Apple.
Read more -here-