A few days ago Google’s Project Zero researchers published a deep-dive blog post in which they detailed an iPhone exploit that made the device vulnerable to malicious websites. By taking advantage of this iOS vulnerability attackers could gain root access to unsuspecting iPhone user’s devices, allowing them to steal sensitive information such as the user’s photos, messages, near real-time location and saved passwords.
Visiting the malicious website was enough for an iPhone to get infected by this hack, and according to the researchers who discovered and published details about this exploit such websites were visited by thousands of unsuspecting victims per week.
The vulnerability was found in multiple iOS versions including iOS 10 up to iOS 12. Apple was able to close the vulnerability in iOS 12.1.4 back in February 2019 in a software update after Google researchers shared the vulnerability they had found in its software. However according to researchers the websites had already been hacking iPhones over the period of at least two years prior to Apple closing the vulnerability in its software.
Exploit used by China to target minorties
The Google researchers said they are not aware how this vulnerability was being used and by whom. However just days after the details of the exploit were shared publicly by Google’s Project Zero researchers, TechCrunch is reporting that the same vulnerability was being used by China to target Uyghur Muslims in its country. The website’s sources claims that the malicious websites were part of a state-backed attack on the country’s Muslim minority that resides in the Chinese autonomous region of Xinjiang.
The attack would have been the part of a larger crack down on the Uyghur Muslim community by the authoritarian Chinese government. As in recent years China has been targeting the minority community by detaining them in internment camps.
Once an iPhone was infected Chinese government could allegedly look at the target’s private data including their messages, passwords and location.
While the main purpose of the malicious websites was to target Uyghur Muslims, the hack was also targeting non-Uyghurs since the websites were indexed on Google Serach and were accessible to anybody. This lead to FBI asking Google to remove these websites from its search engine.
Apple’s software security has seen a decline over the past few years as we have seen multiple vulnerabilities in the iOS and macOS system. Back in 2017 Apple released macOS with a major bug that allowed anyone to login as admin without entering the root password. More recently Apple made an unprecedented mistake of reintroducing an iOS vulnerability that it had closed in earlier versions of the operating system. This mistake allowed hackers to release iOS 12.4 jailbreak to public.
That’s not to say its all bad as Apple has recently amped up its iOS bounty program and has started offering up to $1 million bounty to anyone who finds and reports vulnerabilities to the company. Apple has also expanded the program to macOS.