Late yesterday afternoon (8/29), the team of researchers from the Project Zerofrom Google released a new report about an iOS vulnerability that allowed certain websites could break into iPhones simply when they are accessed. To experts, this "could have been one of the biggest attacks on iPhone users of all time."
In the publication, the British online security expert Ian Beer explained that "there was no target discrimination" in this attack. Thus, any user could be affected simply by visiting one of the malicious websites which, by the way, received thousands of hits per week, as reported by VICE.
While not specifying which sites were affected, the Google team discovered 5 different ways these pages could break into iOS through 12 security holes involving Safari. In short, these different ways of exploitation gave the attacker root access (root) of the iPhone, the highest level of device access.
In addition to having access to certain data and media from the device, a cracker could also (silently) install malicious apps to spy on and even gain access to a user's passwords without, of course, their knowledge or consent.
What's more, when such software was installed by the cracker on the device, it could send iPhone owner files to specific servers, as well as live location data (which was resubmitted every minute)! Because primary access to the iPhone was compromised, services like iMessage, Whatsapp and Telegram They were also affected.
The most curious, perhaps, was the delay in identifying and resolving this flaw, which affected devices running iOS 10 through 12 ie the vulnerability was present for over two years! Nevertheless, Beer confirmed that the problems were reported Apple on February 1, 2019, and that the Project Zero gave 7 days (compared to the 90 days normally provided) for Ma to correct them; The solution came just a week later, with the release of iOS 12.1.4.
THE VICE He contacted Apple for comment on the issue, but the company still did not respond.