O Google has a team called the Threat Analysis Group (TAG) and it was she who identified several pages that, just being accessed, explored flaws in the iOS. The consequences were alarming: the iPhone could be hacked for theft of user data (like photos or WhatsApp messages) or installation of spy tools.
In Project Zero blog post, a program that Google created in 2014 with the proposal to discover security flaws to make the web safer, company researchers reveal the discovery of five chains of attacks that involve at least 14 security flaws that have affected since iOS 10 to iOS 12.
In general, these chains of attacks gave attackers root access to the operating system. Of the 14 flaws identified, seven were related to Safari, five affected the kernel and the other two involved instances of the sandbox (a “protected area” that limits application access to certain resources for security purposes).
With root access, attackers could install applications (to monitor the user, for example), access messages from services like WhatsApp and iMessage, capture photos, obtain real-time geolocation data, among others.
The worst part is that the user did not need to take any specific action. Simple access to malicious pages was enough for users exploits take action. If successful, the user’s iPhone could be hacked. Google estimates that these sites have received thousands of visits.
As always, Google has reported vulnerabilities to Apple. Typically, Project Zero establishes a period of 90 days after notification for the responsible company to make corrections available, otherwise, Google raises a public alert about the problem.
But, considering the flaws very serious, Google gave a deadline of just seven days. Apple was notified on February 1, 2019 and released fixes on February 7 with the release of iOS 12.1.4.
Although Apple moved quickly after the notification, the problems took time to fix. The TAG estimates that the flaws have been exploited for at least two years.
There are no estimates on how many users would have been affected, but what matters most is that the vulnerabilities have been mitigated, which is why Google concluded that this is a good time to talk about them.
It is recommended not to let your guard down, however. Company experts believe there are other flaws of the kind being exploited.
With information: TechCrunch.