Skip to main content

Google reveals major iPhone security flaws that let websites hack phones

Google reveals major iPhone security flaws that let websites hack phones

/

Malicious websites could access files, messages, and location data

Share this story

Illustration by Alex Castro / The Verge

Security researchers working in Google’s Project Zero team say they have discovered a number of hacked websites which used previously undisclosed security flaws to indiscriminately attack any iPhone that visited them. Motherboard reports that the attack could be one of the largest ever conducted against iPhone users. If a user visited one of the malicious websites using a vulnerable device, then their personal files, messages, and real time location data could be compromised. After reporting their findings to Apple, the iPhone manufacturer patched the vulnerabilities earlier this year.

Motherboard notes that the attack could have allowed the sites to install an implant with access to an iPhone’s keychain. This would have given the attackers access to any credentials or certificates contained within it, and could also allow them to access the databases of seemingly secure messaging apps like WhatsApp and iMessage. Despite these apps using end-to-end encryption for the transfer of messages, if an end device was compromised by this attack, then an attacker could access previously encrypted messages in plain text.

iOS versions 10 through 12 were affected

The attack is notable because of how indiscriminate it is. Motherboard notes that other attacks are typically more targeted, with individual links being sent to targets. In this case, simply visiting a malicious site could be enough to be attacked, and for an implant to be installed on a device. The researchers estimate that the compromised sites were visited by thousands of visitors each week. 

The implant installed by the malicious sites would be deleted if a user rebooted their phone. However, the researchers say that since the attack compromises a device’s keychain, then the attackers could gain access to any authentication tokens it contains, and these could be used to maintain access to accounts and services long after the implant has disappeared from a compromised device.

In total, the researchers say they discovered 14 vulnerabilities across five different exploit chains, including one which was unpatched at the time the researchers discovered it. iOS versions 10 through 12 were all affected by the vulnerabilities, which the researchers say indicates that the attackers were attempting to hack users over at least two years.

The team says they contacted Apple to report the vulnerability back in February, and gave the company just seven days to patch it. TechCrunch notes that this is a far shorter deadline than the typical 90-day window usually given by researchers, and likely reflects how serious the vulnerabilities are. Apple patched the vulnerabilities with iOS 12.1.4, the same update that fixed a major FaceTime security flaw.

Although the vulnerabilities have now been patched, the researchers note that there are likely to be more out there that they’re yet to discover. “For this one campaign that we’ve seen, there are almost certainly others that are yet to be seen,” they write. You can find full details of the exploits in the researcher’s blog post

Today’s Storystream

Feed refreshed 13 minutes ago Dimorphos didn’t even see it coming

R
Twitter
Richard Lawler13 minutes ago
A direct strike at 14,000 mph.

The Double Asteroid Redirection Test (DART) scored a hit on the asteroid Dimorphos, but as Mary Beth Griggs explains, the real science work is just beginning.

Now planetary scientists will wait to see how the impact changed the asteroid’s orbit, and to download pictures from DART’s LICIACube satellite which had a front-row seat to the crash.


M
The Verge
Mary Beth GriggsTwo hours ago
We’re about an hour away from a space crash.

At 7:14PM ET, a NASA spacecraft is going to smash into an asteroid! Coverage of the collision — called the Double Asteroid Redirection Test — is now live.


E
Twitter
Emma RothTwo hours ago
There’s a surprise in the sky tonight.

Jupiter will be about 367 million miles away from Earth this evening. While that may seem like a long way, it’s the closest it’s been to our home planet since 1963.

During this time, Jupiter will be visible to the naked eye (but binoculars can help). You can check where and when you can get a glimpse of the gas giant from this website.


Asian America learns how to hit back

The desperate, confused, righteous campaign to stop Asian hate

Esther WangSep 26
E
Twitter
Emma RothSep 26
Missing classic Mario?

One fan, who goes by the name Metroid Mike 64 on Twitter, just built a full-on 2D Mario game inside Super Mario Maker 2 complete with 40 levels and eight worlds.

Looking at the gameplay shared on Twitter is enough to make me want to break out my SNES, or at least buy Super Mario Maker 2 so I can play this epic retro revamp.


R
External Link
Russell BrandomSep 26
The US might still force TikTok into a data security deal with Oracle.

The New York Times says the White House is still working on TikTok’s Trump-era data security deal, which has been in a weird limbo for nearly two years now. The terms are basically the same: Oracle plays babysitter but the app doesn’t get banned. Maybe it will happen now, though?


R
External Link
Russell BrandomSep 26
Edward Snowden has been granted Russian citizenship.

The NSA whistleblower has been living in Russia for the 9 years — first as a refugee, then on a series of temporary residency permits. He applied for Russian citizenship in November 2020, but has said he won’t renounce his status as a U.S. citizen.


E
External Link
Emma RothSep 26
Netflix’s gaming bet gets even bigger.

Even though fewer than one percent of Netflix subscribers have tried its mobile games, Netflix just opened up another studio in Finland after acquiring the Helsinki-based Next Games earlier this year.

The former vice president of Zynga Games, Marko Lastikka, will serve as the studio director. His track record includes working on SimCity BuildIt for EA and FarmVille 3.


A
External Link
Vietnam’s EV aspirant is giving big Potemkin village vibes

Idle equipment, absent workers, deserted villages, an empty swimming pool. VinFast is Vietnam’s answer to Tesla, with the goal of making 1 million EVs in the next 5-6 years to sell to customers US, Canada and Europe. With these lofty goals, the company invited a bunch of social media influencers, as well as some auto journalists, on a “a four-day, multicity extravaganza” that seemed more weird than convincing, according to Bloomberg.


J
James VincentSep 26
Today, 39 years ago, the world didn’t end.

And it’s thanks to one man: Stanislav Petrov, a USSR military officer who, on September 26th, 1983, took the decision not to launch a retaliatory nuclear attack against the US. Petrov correctly guessed that satellite readings showing inbound nukes were faulty, and so likely saved the world from nuclear war. As journalist Tom Chivers put it on Twitter, “Happy Stanislav Petrov Day to those who celebrate!” Read more about Petrov’s life here.


Soviet Colonel who prevented 1983 nuclear response
Photo by Scott Peterson/Getty Images
J
The Verge
James VincentSep 26
Deepfakes were made for Disney.

You might have seen the news this weekend that the voice of James Earl Jones is being cloned using AI so his performance as Darth Vader in Star Wars can live on forever.

Reading the story, it struck me how perfect deepfakes are for Disney — a company that profits from original characters, fans' nostalgia, and an uncanny ability to twist copyright law to its liking. And now, with deepfakes, Disney’s most iconic performances will live on forever, ensuring the magic never dies.


E
External Link
Hurricane Fiona ratcheted up tensions about crypto bros in Puerto Rico.

“An official emergency has been declared, which means in the tax program, your physical presence time is suspended,” a crypto investor posted on TikTok. “So I am headed out of the island.” Perhaps predictably, locals are furious.


R
The Verge
Richard LawlerSep 26
Teen hacking suspect linked to GTA 6 leak and Uber security breach charged in London.

City of London police tweeted Saturday that the teenager arrested on suspicion of hacking has been charged with “two counts of breach of bail conditions and two counts of computer misuse.”

They haven’t confirmed any connection with the GTA 6 leak or Uber hack, but the details line up with those incidents, as well as a suspect arrested this spring for the Lapsus$ breaches.