Google Project Zero has revealed what it says may be “one of the largest attacks on iPhone users ever.”
According to the Project Zero blog, there was “no target discrimination” in the series of attacks, and that users could be impacted if they simply visited a website that had been hacked.
Google also revealed that thousands of people had been viewing these hacked sites every week.
In an extensive report, Google’s Threat Analysis Group revealed five separate exploit chains that affected iOS 12 as well as iOS 11 and iOS 10, meaning that a hacker had been “making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.”
How did the hack work?
Once an iOS user visited a malicious website, malware would be deployed that could steal files and upload live location data every 60 seconds. iMessages and other Apple services are also affected by the hack.
“Working with TAG, we discovered exploits for a total of fourteen vulnerabilities across the five exploit chains: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes,” said Ian Beer from Project Zero.
“Initial analysis indicated that at least one of the privilege escalation chains was still 0-day and unpatched at the time of discovery.”
According to Beer, Google reported the vulnerability to Apple with a 7-day deadline on February 1st, 2019, and Apple patched the issues eight days later on February 9th, 2019 with iOS 12.1.4.
However, it’s likely that many users are still running older operating systems, so it’s recommended that you upgrade as soon as you can.
Are you shocked to hear about this vulnerability? Should Apple have done more to warn users to upgrade? Let us know your thoughts on Twitter using @AppleMagazine and check back soon for more Apple news and rumors, every week.