Google's security researchers have found a number of malicious websites that could hack unnoticed when visiting a victim's iPhone by exploiting a number of previously unknown software bugs.
Late Thursday, a dive blog post published that the sites were visited by unsuspecting victims thousands of times a week, what they called an "indiscriminate" attack device, and if successful, install a surveillance implant, "said Ian Beer, a security researcher at Project Zero.
He said the websites hacked iPhones for at least two years.
The researchers found five different exploit chains with 12 different vulnerabilities, including seven with Safari, the integrated web browser for iPhones. The five separate attack chains allowed an attacker root access to the device ̵
Google identified the vulnerabilities to steal photos and messages from a user and track their location nearby – real-time. The "implant" can also access the user's bank stored on the device with stored passwords.
The vulnerabilities affect iOS 10 through the current iOS 12 software release.
Google publicly announced the vulnerabilities in February and Apple Just a week to fix the bugs and provide updates to users. This is a fraction of the 90 days typically available to software developers to determine the severity of the vulnerabilities.
Apple released a fix six days later with iOS 12.1.4 for iPhone 5s and iPad Air and higher.
Beer said it's possible that other hacking campaigns are currently in action.
The iPhone and iPad manufacturer generally has a good relationship with security and privacy issues. Most recently, the company has increased the maximum payout of bugs to $ 1 million for security researchers who find bugs that can keep an iPhone in the background and gain root-level privileges without user interaction. According to Apple's new bounty rules, which will come into force later this year, Google would be entitled to several million dollars in bounties.
An Apple spokesman declined to comment.