iPhone exploits in hacked websites went unnoticed for years

Posted:
in iPhone edited August 2019
Researchers from Google's Project Zero security initiative on Thursday revealed the discovery of a collection of hacked websites that for years hosted a series of exploits targeting iPhone models up to iPhone X running the current version of iOS 12.

Skull


Outlined in a blog post, Google said its Threat Analysis Group (TAG) uncovered the "small collection" of websites earlier this year.

"The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day," writes Project Zero's Ian Beer. "There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant."

Beer estimates the sites receive thousands of visitors per week.

TAG believes the hacks are the work of a bad actor who, over a period of at least two years, conducted an operation to infiltrate select iPhone user demographics targeted by the undisclosed sites. The group found evidence of five unique iPhone exploit chains that cover "almost every version" of iOS from iOS 10 to the current iteration of iOS 12. Impacted iPhones range from iPhone 5s to iPhone X.

In all, Google researchers discovered 14 vulnerabilities impacting iPhone's web browser, kernel and sandbox security mechanism, one of which was a zero-day.

As noted by Motherboard, which reported on Google's findings earlier today, the exploits were used to deploy an implant designed to steal files and upload real-time GPS location data. In addition, the implant accessed a user's keychain, a feature responsible to securely storing passwords and databases of end-to-end encrypted messaging apps like iMessage. It also took copies of Contacts data and Photos, Beer writes.

While the malware is cleaned from an infected iPhone upon rebooting, Beer notes attackers might be able to "maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device." Alternatively, visiting the hacked site would reinstall the implant.

Google informed Apple of the issue on Feb. 1, presenting the company a seven-day window in which to plug the holes. Apple subsequently released a patch with iOS 12.1.4 on Feb. 7 and disclosed Google's findings in an accompanying support document.

Apple's iOS 12.1.4 update also patched a pair of Foundation and IOKit flaws discovered by Google's Project Zero team lead Ben Hawkes. Both zero-day vulnerabilities were used to hack devices in the wild.
«13

Comments

  • Reply 1 of 60
    coolfactorcoolfactor Posts: 2,242member
    Most exploits are fixed by way of "improved validation". Not sure why this validation is not stronger to begin with.
  • Reply 2 of 60
    Bravo! Project Zero
  • Reply 3 of 60
    Pretty pathetic reputation considering Apple’s marketing focus on privacy and security.
    The memory of MacOS permission screw-up getting admin or even root permission is still very fresh. 

    Also consider the public perception when ‘Google researchers’ discover ‘Apple problems’.


    toysandmedonjuan
  • Reply 4 of 60
    No phone is completely safe. 
  • Reply 5 of 60
    Obvious Question: Which websites?
    command_fknowitallwebweaselairnerdlkruppMplsPcornchipSpamSandwichspacekid
  • Reply 6 of 60
    MacProMacPro Posts: 19,727member
    If iPhones are vulnerable imagine Android phones which in this extract are not mentioned at all ... it sounds like an excellent marketing strategy for Google to me.  Oh wait ... of course this is the very information all Android users hand over to Google to use already, what am I thinking?
    edited August 2019 frantisekgilly33lkruppStrangeDayscornchip
  • Reply 7 of 60
    MacPro said:
    If iPhones are vulnerable imagine Android phones which in this extract are not mentioned at all ... it sounds like an excellent marketing strategy for Google to me.  Oh wait ... of course this is the very information all Android users hand over to Google to use already, what am I thinking?
    Observations:
    • You don't know what Project Zero is.  You don't know what they do
    • You skimmed the article looking for excuses why these exploits existed and lasted so long.
    • Finding none, you decided it would be perfectly fine to inject baseless speculation and disparage the research team
    I've always been curious why people do what you did?  I think either you completely misunderstood what you read or you intentionally made up some stuff.  If it's the former, I'd suggest rereading and clicking on the links to gain understanding.  If it's the latter, might I suggest a look in a mirror and ask yourself: what am I thinking?

    avon b7gatorguyCarnagemuthuk_vanalingamrattlhedairnerdpscooter63uraharabigtdsfastasleep
  • Reply 8 of 60
    MacPro said:
    If iPhones are vulnerable imagine Android phones which in this extract are not mentioned at all ... it sounds like an excellent marketing strategy for Google to me.  Oh wait ... of course this is the very information all Android users hand over to Google to use already, what am I thinking?
    Why would this article mentions Android phones? Is about an Apple exploit. Most people know iPhones are much safer than Androids, but it still happens that exploits are being found in iOS to. Of course you might be able to build a phone that is more safe, but than you have to forgo ease of use. I’m very happy with my iPhone, and the safety it provides, but I also use gmail, and Google maps. But, I’m working on moving my email to a more privacy oriented provider. And lose Google maps. Already work with DuckDuckGo. Still...
    avon b7CarnageSoundJudgmentlordjohnwhorfintoysandmeurahara
  • Reply 9 of 60
    MacPro said:
    If iPhones are vulnerable imagine Android phones which in this extract are not mentioned at all ... it sounds like an excellent marketing strategy for Google to me.  Oh wait ... of course this is the very information all Android users hand over to Google to use already, what am I thinking?
    Observations:
    • You don't know what Project Zero is.  You don't know what they do
    • You skimmed the article looking for excuses why these exploits existed and lasted so long.
    • Finding none, you decided it would be perfectly fine to inject baseless speculation and disparage the research team
    I've always been curious why people do what you did?  I think either you completely misunderstood what you read or you intentionally made up some stuff.  If it's the former, I'd suggest rereading and clicking on the links to gain understanding.  If it's the latter, might I suggest a look in a mirror and ask yourself: what am I thinking?

    Project Zero has been criticized in the past before for not disclosing Googles security failures. The comment is valid.
    lordjohnwhorfinlkruppcornchiptoysandmebb-15yoyo2222
  • Reply 10 of 60
    isidore said:
    Obvious Question: Which websites?

    There's a list in the blog.
    uraharabb-15
  • Reply 11 of 60
    isidore said:
    Obvious Question: Which websites?
    Various implant commands enable the attackers to steal the container directories of third-party apps. The implant contains a hardcoded list of apps which will always have their container directories uploaded when the implant starts up. Here’s the pre-populated list of bundle identifiers for third-party apps, which will always have their container directories uploaded if the apps are installed:
    com.yahoo.Aerogram
    com.microsoft.Office.Outlook
    com.netease.mailmaster
    com.rebelvox.voxer-lite
    com.viber
    com.google.Gmail
    ph.telegra.Telegraph
    com.tencent.qqmail
    com.atebits.Tweetie2
    net.whatsapp.WhatsApp
    com.skype.skype
    com.facebook.Facebook

    com.tencent.xin

    ….

    muthuk_vanalingamcornchippscooter63uraharabb-15spacekid
  • Reply 12 of 60
    MacPro said:
    If iPhones are vulnerable imagine Android phones which in this extract are not mentioned at all ... it sounds like an excellent marketing strategy for Google to me.  Oh wait ... of course this is the very information all Android users hand over to Google to use already, what am I thinking?
    Observations:
    • You don't know what Project Zero is.  You don't know what they do
    • You skimmed the article looking for excuses why these exploits existed and lasted so long.
    • Finding none, you decided it would be perfectly fine to inject baseless speculation and disparage the research team
    I've always been curious why people do what you did?  I think either you completely misunderstood what you read or you intentionally made up some stuff.  If it's the former, I'd suggest rereading and clicking on the links to gain understanding.  If it's the latter, might I suggest a look in a mirror and ask yourself: what am I thinking?

    Project Zero has been criticized in the past before for not disclosing Googles security failures. The comment is valid.
    There's nothing valid in that comment.  It's 100% pure deflection.  MacPro tries to imply Android phones are also vulnerable to the iOS memory corruption and it's being downplayed or covered up.  He doubles down on the FUD by implying it part of Google's marketing strategy.  Then he goes full on Spinal Tap Turn Up to 11 with the Android users hand that type of info over to Google... uuhhhh

    This is the comment you think is valid?  Bruh, lemme get a hit of whatever you're smoking. 
    That comment is so hyperbolic it almost seems like he's making a parody of the stereotypical Apple Defense Force type of Apple fan.
    muthuk_vanalingam
  • Reply 13 of 60
    gatorguygatorguy Posts: 24,213member
    MacPro said:
    If iPhones are vulnerable imagine Android phones which in this extract are not mentioned at all ... it sounds like an excellent marketing strategy for Google to me.  Oh wait ... of course this is the very information all Android users hand over to Google to use already, what am I thinking?
    Observations:
    • You don't know what Project Zero is.  You don't know what they do
    • You skimmed the article looking for excuses why these exploits existed and lasted so long.
    • Finding none, you decided it would be perfectly fine to inject baseless speculation and disparage the research team
    I've always been curious why people do what you did?  I think either you completely misunderstood what you read or you intentionally made up some stuff.  If it's the former, I'd suggest rereading and clicking on the links to gain understanding.  If it's the latter, might I suggest a look in a mirror and ask yourself: what am I thinking?

    Project Zero has been criticized in the past before for not disclosing Googles security failures. The comment is valid.
    I call BS on it being a valid criticism. Who the heck has legit criticized Project Zero for not tracking down and disclosing Android or Chrome exploits? You wouldn't be making something up would you? 

    Fun Fact: Project Zero holds Google themselves to the same general 90-day disclosure deadline as they give every other company.

    By the way it's rare that exploits discovered by the Project Zero team are not patched before the 90-day deadlines, despite Microsoft whining about it. 
    https://www.techspot.com/news/81281-over-95-1600-vulnerabilities-discovered-google-project-zero.html
    edited August 2019 muthuk_vanalingam
  • Reply 14 of 60
    knowitallknowitall Posts: 1,648member
    MacPro said:
    If iPhones are vulnerable imagine Android phones which in this extract are not mentioned at all ... it sounds like an excellent marketing strategy for Google to me.  Oh wait ... of course this is the very information all Android users hand over to Google to use already, what am I thinking?
    Observations:
    • You don't know what Project Zero is.  You don't know what they do
    • You skimmed the article looking for excuses why these exploits existed and lasted so long.
    • Finding none, you decided it would be perfectly fine to inject baseless speculation and disparage the research team
    I've always been curious why people do what you did?  I think either you completely misunderstood what you read or you intentionally made up some stuff.  If it's the former, I'd suggest rereading and clicking on the links to gain understanding.  If it's the latter, might I suggest a look in a mirror and ask yourself: what am I thinking?

    Seems to me you waited for such a comment to be able show your ‘outrage’ publicly.
    lordjohnwhorfinStrangeDays
  • Reply 15 of 60
    I’d be more impressed by Google if they concentrated on fixing their own security issues instead of Apple’s. 
    lordjohnwhorfinStrangeDaysknowitall
  • Reply 16 of 60
    knowitallknowitall Posts: 1,648member
    Carnage said:
    isidore said:
    Obvious Question: Which websites?
    Various implant commands enable the attackers to steal the container directories of third-party apps. The implant contains a hardcoded list of apps which will always have their container directories uploaded when the implant starts up. Here’s the pre-populated list of bundle identifiers for third-party apps, which will always have their container directories uploaded if the apps are installed:
    com.yahoo.Aerogram
    com.microsoft.Office.Outlook
    com.netease.mailmaster
    com.rebelvox.voxer-lite
    com.viber
    com.google.Gmail
    ph.telegra.Telegraph
    com.tencent.qqmail
    com.atebits.Tweetie2
    net.whatsapp.WhatsApp
    com.skype.skype
    com.facebook.Facebook

    com.tencent.xin

    ….

    Obvious: do not use Facebook, Google and Microsoft, whats new?
    lordjohnwhorfincrosslad
  • Reply 17 of 60
    crosslad said:
    I’d be more impressed by Google if they concentrated on fixing their own security issues instead of Apple’s. 
    Now THIS is a valid comment. 

    As an iPhone user I am very pleased that Google is helping to improve my iPhone. But I can't understand why Google can't improve the balance of an their open platform with a safer/more secure platform. Windows 10 is much better in this regard these days. 

    However, it is extremely impressive that their are people in the world who are so extraordinarily skilled to be able to find and exploit these vulnerabilities. It would be fascinating to see what a state like Russia has been able to do with their hack teams. 
  • Reply 18 of 60
    gatorguygatorguy Posts: 24,213member
    knowitall said:
    Carnage said:
    isidore said:
    Obvious Question: Which websites?
    Various implant commands enable the attackers to steal the container directories of third-party apps. The implant contains a hardcoded list of apps which will always have their container directories uploaded when the implant starts up. Here’s the pre-populated list of bundle identifiers for third-party apps, which will always have their container directories uploaded if the apps are installed:
    com.yahoo.Aerogram
    com.microsoft.Office.Outlook
    com.netease.mailmaster
    com.rebelvox.voxer-lite
    com.viber
    com.google.Gmail
    ph.telegra.Telegraph
    com.tencent.qqmail
    com.atebits.Tweetie2
    net.whatsapp.WhatsApp
    com.skype.skype
    com.facebook.Facebook

    com.tencent.xin

    ….

    Obvious: do not use Facebook, Google and Microsoft, whats new?
    Aren't those spoof sites? Com. or Net. before the website instead of after? 
    muthuk_vanalingampscooter63
  • Reply 19 of 60
    asdasdasdasd Posts: 5,686member
    gatorguy said:
    knowitall said:
    Carnage said:
    isidore said:
    Obvious Question: Which websites?
    Various implant commands enable the attackers to steal the container directories of third-party apps. The implant contains a hardcoded list of apps which will always have their container directories uploaded when the implant starts up. Here’s the pre-populated list of bundle identifiers for third-party apps, which will always have their container directories uploaded if the apps are installed:
    com.yahoo.Aerogram
    com.microsoft.Office.Outlook
    com.netease.mailmaster
    com.rebelvox.voxer-lite
    com.viber
    com.google.Gmail
    ph.telegra.Telegraph
    com.tencent.qqmail
    com.atebits.Tweetie2
    net.whatsapp.WhatsApp
    com.skype.skype
    com.facebook.Facebook

    com.tencent.xin

    ….

    Obvious: do not use Facebook, Google and Microsoft, whats new?
    Aren't those spoof sites? Com. or Net. before the website instead of after? 
    Its a reverse URL, used in bundle identifiers, or in the app info plist to uniquely identify the app. For instance when an app is launched from another app, the app will generally be identified with a reverse URL. 
    cornchipfastasleepCarnage
  • Reply 20 of 60
    gatorguygatorguy Posts: 24,213member
    asdasd said:
    gatorguy said:
    knowitall said:
    Carnage said:
    isidore said:
    Obvious Question: Which websites?
    Various implant commands enable the attackers to steal the container directories of third-party apps. The implant contains a hardcoded list of apps which will always have their container directories uploaded when the implant starts up. Here’s the pre-populated list of bundle identifiers for third-party apps, which will always have their container directories uploaded if the apps are installed:
    com.yahoo.Aerogram
    com.microsoft.Office.Outlook
    com.netease.mailmaster
    com.rebelvox.voxer-lite
    com.viber
    com.google.Gmail
    ph.telegra.Telegraph
    com.tencent.qqmail
    com.atebits.Tweetie2
    net.whatsapp.WhatsApp
    com.skype.skype
    com.facebook.Facebook

    com.tencent.xin

    ….

    Obvious: do not use Facebook, Google and Microsoft, whats new?
    Aren't those spoof sites? Com. or Net. before the website instead of after? 
    Its a reverse URL, used in bundle identifiers, or in the app info plist to uniquely identify the app. For instance when an app is launched from another app, the app will generally be identified with a reverse URL. 
    Ah, thanks, understood. So then they are more like the common fake domains trying to appear as legitimate ones, but not putting net or com first?
Sign In or Register to comment.