Apple iPhones Hacked by Websites Exploiting Zero-Day Flaws

upstart writes in with a submission, via IRC, for SoyCow2718.

Apple iPhones Hacked by Websites Exploiting Zero-Day Flaws

Since at least 2016, hacked websites have targeted zero-day flaws in the latest versions of Apple iOS to surreptitiously hack iPhones, new research from Google shows.

The attack campaign has been revealed by Google's Project Zero team, which searches for zero-day flaws. It says the attack campaign was used to infect iOS devices with an implant - aka malware - that could steal private data, including photos and messages in Telegram, iMessages and Gmail, as well as send GPS data to a command-and-control server for tracking users in real time, provided they're online.

"Earlier this year Google's Threat Analysis Group discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day," Ian Beer of the Project Zero team says in a blog post published Thursday.

"There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant," he says. "We estimate that these sites receive thousands of visitors per week."

[...] Google reported two serious flaws - CVE-2019-7287 & CVE-2019-7286 - to Apple on Feb. 1, setting a seven-day deadline before releasing them publicly, since they were apparently still zero-day vulnerabilities as well as being used in active, in-the-wild attacks.

Apple patched the flaws via iOS 12.1.4, released on Feb. 7, together with a security alert.

Read more of this story at SoylentNews.