Google’s Project Zero security researchers recently discovered a number of hacked websites that inserted malware onto people’s iPhone for years, if they visited one of these sites. Once users have entered the site the hackers will be able to target their personal data including Photos, messages and location. The security researchers had reported this vulnerability to Apple earlier this year and they had patched the issue with an update.
"There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant," Project Zero's Ian Beer wrote in a blog.
Apple being considered as the epitome of security rarely has such issues and often believed to be one of the few highly secured devices. There are several bug bounty programs initiated by Apple offering security researchers up to $1 million who can find potential vulnerabilities on its devices.
The attack was described as indiscriminate because hackers usually target a single person by sending them links privately. But in this scenario anyone who has ever visited the website were targeted and monitored. Security researchers reported that the site received more than thousand visitors per week.
"The very nature of iOS, intended to keep devices secure, may have worked against us in this case by preventing the attack from being discovered,” Thomas Reed, director of Mac and mobile security responded.
It is known that iOS doesn’t allow for malware scans and this was an added advantage to the hackers and may have led to such a late discovery of this vulnerability. But reports point out that the issue has lasted more than two years.