Researchers from Google have discovered a number of malicious websites that have been used for at least two years to infiltrate iPhones.
On Thursday night, the analysts, who work at Project Zero (Google’s cyber security division), detailed their findings in a deep-dive technical blog.
Security research specialist Ian Beer wrote: “There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.”
Once the implant had infiltrated that particular iPhone, it was able to steal not only photos but also messages as well as GPS location data – all in real-time.
The blog post did not reveal precisely how many of these malicious sites there were, but according to the researchers’ best estimates, each one of them received thousands of unsuspecting visitors every week.
The hacks started with iOS 10 and were only patched with iOS 12.
According to Beer, this is an indication that there had been a “sustained effort” to gain unauthorised access to iPhones over the last two years.
The websites in question used five different methods, also known as “exploit chains”, to get access to iPhones.
The research team discovered 14 vulnerabilities that could be exploited by these exploit chains.
No fewer than seven of them were discovered in Safari – the default web browser on all new iPhones.
The researchers reportedly informed Apple about their discovery in February 2019.
They gave the Cupertino-based firm an unusually short seven days to fix the bugs.
Apple took up the challenge and, within six days, it released the necessary iOS 12 security update.
As far as security is concerned, Apple normally has quite a solid track record.
Last month, for example, it increased the amount of money that it is prepared to pay as a bug bounty (i.e. for software bugs discovered by security researchers) to $1m.