X

Until Recently, Websites Were Hacking iPhones

Hackers were able to access iPhones' keychain and messaging apps
By Neal Colgrass,  Newser Staff
Posted Aug 31, 2019 1:30 PM CDT
In this Sunday, Aug. 11, 2019, photo an iPhone displays the apps for Facebook and Messenger in New Orleans.   (AP Photo/Jenny Kane)

(Newser) – Visit a website, and boom—your iPhone is hacked. That nightmare vulnerability was plaguing iPhones until a Google team warned Apple about it in February, the Verge reports. Google's Project Zero team found that hacked websites were taking advantage of security flaws to crawl into any iPhone that came surfing along. "There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant," says Google's Project Zero team. "We estimate that these sites receive thousands of visitors per week."

That meant hackers could place an implant that accessed the phone's keychain, allowing them to grab credentials or certificates and steal the contents of messaging apps like iMessage and WhatsApp. A simple reboot would delete the implant, but by then the implant had already accessed authentication tokens in the keychain, allowing continued access even with the implant removed. Google gave Apple a tight one-week window in which to repair the flaw—far less than the usual 90 days—and Apple rolled out a fix after six days with iOS 12.1.4, per TechCrunch. Apple had no comment on the matter. (Read more Apple stories.)

My Take on This Story
Show results without voting  |  
11%
11%
11%
5%
55%
8%